Virus Alerts

Virus and Operating System Updates

• Norton Anti-Virus Updates
• McAfee Anti-Virus Updates
• Microsoft Windows Updates

Virus Information

Anti-virus companies are reporting a worm that spreads via a new vulnerability in Internet Explorer.

The vulnerability is not present in Windows XP Service Pack 2, but in all earlier versions of Internet Explorer 6, and no patch is available. It involves a buffer overflow triggered by an IFRAME or EMBED tag, which has an oversized SRC or NAME attribute.

The worm, known as MyDoom.ag in McAfee's naming, does not have a file attachment, as is typical of mail worms. Instead, it installs a Web server on Port 1639 of the infected system. The e-mails it sends out to spread itself contains a link to the server on the infected computer.

The page served when a user clicks the link, which takes the form http://aaa.bbb.ccc.ddd:1639/webcam.htm (where aaa.bbb.ccc.ddd is the IP address of the infected user), invokes the Internet Explorer vulnerability. The worm then takes over, downloading more files and spreading itself.

The use of an IP address means that users behind an NAT server cannot effectively spread the worm. Indeed, Ken Dunham, director of malicious code at iDefense Inc., said, "Home and SOHO users without sufficient perimeter defenses are most likely to be victimized."

Most other anti-virus vendors are also terming the new worm a MyDoom variant, although Sophos plc. calls it Bofra-A. Vendors are generally terming this a low threat because it hasn't been seen in the wild, but some have elevated the threat because of the new techniques and the absence of a patch for the vulnerability.

What is it?

W32/Bagle.az@MM is a Medium Risk mass-mailing worm that installs a Remote Access component that can provide hackers access to your computer. Carried inside an email attachment, the virus spreads by emailing itself to e-mail addresses found on your computer and copies itself to folders used by popular file-sharing programs such as KaZaa, Bearshare and Limewire. Like its predecessors, it also tries to terminate anti-virus and other security software protection.

What should I look for?

• FROM: Varies (spoofed)
• SUBJECT: Re:, Re: Hello, Re: Thank you!, Re: Thanks :), Re: Hi
• BODY: :), :))
• ATTACHMENT: Price, price, Joke (with an extension of .exe, .scr, .com or .cpl)

How do I know if I've been infected?

Communication Port 81 (TCP) open. Outgoing messages with noted body content and attachments.

What can I do to prevent or fix an infection?

Make sure your virus software's virus definitions are up to date, and that you do not open and immediately delete any e-mail message matching the description above.

The "Sasser" worm can infect a computer even if no one is using it. Infected computers might display error messages and try to repeatedly reboot themselves. Here are instructions to follow if you suspect that your computer contains the worm:

1. Disconnect your computer from the Internet.
2. Locate and stop the worm's actions: Press the keys "Ctrl" "Alt" and "Del" at the same time. That should launch Windows Task Manager. Click on the "Processes" tab. Look for a file called "aserve.exe" or "*_up.exe". If one of these files appears, highlight it and click on the "End Process" button. Click "yes" when it asks for confirmation.
3. Find and delete the worm: Click on the "Start" button in the bottom-left corner of your screen, then choose "Search". Search your entire computer (in the field next to the "all files and folders" option) for the following files: "avserve.exe", and "*_up.exe". Delete any matching files.
4. Enable a firewall: Right-click on the Internet connection icon in the bottom-right corner of your screen (or wherever the task bar is located). Click on "open network connections". When a box pops up, right-click on the connection you use to get online, and select "properties". Then, on the "Advanced" tab you should see a box underneath the words "Internet connection firewall". If that box is not checked, check it.
5. Reconnect your computer to the Internet.
6. Visit Microsoft's Windows Update site: go to windowsupdate.microsoft.com. Let the site scan your computer and apply any "critical" updates.
7. Check to make sure your computer is disinfected: Visit Microsoft's Sasser page on its Web site and click on the button that reads "Check My PC for Infection". Follow the instructions provided.If your computer continues to try to restart: Click on the "Start" button at the bottom-left corner of your screen, then choose "Run" from the list of options. Type "cmd.exe" (without the quotation marks). When a command prompt pops up, type in "shutdown -a" (again -- without the quotation marks). That should stop the reboot process and give you enough time to carry out steps two through four.

Here are other tools that can detect and remove Sasser:

• McAfee's removal tool
• Symantec's removal tool
• Microsoft's removal tool
• Detailed removal instructions from Microsoft

One of the best preventative measures you can do to avoid viruses is to patch vulnerabilities in your Windows operating system with Windows Update. The following instructions will let you know how to perform these updates manually or to set your computer to download them automatically.

How to Perform Windows Update (manually)

Windows Update will update applications provided by Microsoft (O/S, Internet Explorer, Office, etc.).

• Check the Windows Update site

Enable Automatic Updates

The Automatic Updates feature in Windows notifies you when critical updates are available for your computer.

· For Windows XP

• Click " Start "
• Click " Control Panel "
• Click " System "
• Click " Automatic Updates " tab
• Check " Keep my computer up to date "
• Chose one of the following settings
• " Notify ..."
• " Download... " (Recommended. Please apply the updates at soon as possible.)
• " Automatically... "
• You may need to reboot your machine.

· For Windows 2000 (Requires Service Pack 3 )

• Click " Start "
• Click " Settings "
• Click " Control Panel "
• Click " Automatic Updates "
• Check " Keep my computer up to date "
• Chose one of the following settings
• " Notify ..."
• " Download... " (Recommended. Please apply the updates as soon as possible.)
• " Automatically.. ."
• You may need to reboot your machine.

If you are not sure about Windows update, or for answers to specific questions, call Customer Care at 888-364-9000 or e-mail us at support@setel.com.

A computer virus, disguised as an official-looking e-mail from SouthEast Telephone or other ISPs, is now circulating throughout the World Wide Web, in an attempt to wreak havoc on computer systems. The hoax e-mail's subject line reads, "Warning about your e-mail account" or "Notify about your e-mail account utilization" or something similar. It is extremely important not to open this infected e-mail's ZIP file, which contains the virus.

The e-mail the several varients of the worm generates takes the following general form, spoofing the receiver's address to make the virus seem to come from the network administrator, support, or management, and contains a message similar to:

Dear user of server 'SETEL.COM': Your e-mail account will be disabled because of improper use in the next three days. If you still wish to use it, please resign your account information. Pay attention to the attached file protected with a password for security reasons. Password is 27145.

Sincerely,

The SETEL.COM team.

The creator(s) of newer variants of the Bagle virus improved on the attached infected ZIP file by protecting the attachment with a password, preventing some antivirus scanners from examining it. The newer variants open a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It then sends the attacker the port on which the backdoor listens, as well as the IP address. Finally, it attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.

SouthEast Telephone continues to provide virus protection on its e-mail server and keeps virus definitions as updated as possible. New viruses appear on a daily basis and we are working hard to identify and neutralize those as quickly as possible. However, we strongly recommend that you install anti-virus software on your computer and keep the virus definitions updated. For more information and virus removal tools, visit the Symantec Website.

We would like to remind all e-mail users that under no circumstance would we send any e-mail from a company address such as Support or Admin requesting that you open a file attachment.