[228] in Security FYI
[Security-fyi] Security advisory on virus/worm outbreak
daemon@ATHENA.MIT.EDU (Tim McGovern)
Tue Jan 27 23:01:39 2004
Message-ID: <40172D9B.231A348A@mit.edu>
Date: Tue, 27 Jan 2004 22:33:47 -0500
From: Tim McGovern <tjm@MIT.EDU>
MIME-Version: 1.0
To: itpartners@MIT.EDU, security-fyi@MIT.EDU
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: netusers@MIT.EDU
cc: rccsuper@MIT.EDU
cc: is&t-lt@MIT.EDU
cc: cfyi@MIT.EDU
cc: client-security@MIT.EDU
cc: support-strategy@MIT.EDU
Errors-To: security-fyi-bounces@MIT.EDU
Colleagues,
Please be aware of the following security event, and see below for
further details:
========================================================================
Date: January 27, 2004
Advisory: Mydoom or Novarg worm
Vulnerable systems: Microsoft windows machines only
Impact: Falsifies outgoing email and leaves machine
susceptible to future intrusion.
Actions to Take:
1. Update Anti-Virus software
2. Use extreme caution when opening email attachments
3. If applicable, shut down KaZaA file-sharing software
========================================================================
As you may have seen reported in the press earlier today
http://www.boston.com/business/technology/
there are several new and potentially dangerous virus outbreaks
underway on the Internet against Microsoft Windows machines, and they
will likely have some impact at MIT. While these attacks have been
operating for several days, it will take several more days before we
have a full understanding of the nature of the attacks, and whether
the defensive measures that we have already implemented will be
sufficient.
HOW DOES IT WORK
----------------------
Our understanding so far is that the most dangerous of these viruses,
the Mydoom or Novarg worm, spreads itself from computer to computer
in two ways, either by mass mailing itself to addresses that it finds
in the local address book of the infected computer, or by directly
inserting itself into the Shared folder of a machine running the
KaZaA peer-to-peer filesharing software. Besides sending out mass
e-mail, the worm also opens up a backdoor inside the machine so that
someone can take over the computer later.
PROTECT YOURSELF
----------------------
Email Attachments
----------------------
Not opening attachments -- no matter how natural that is to do -- is
the best way to reduce the risk of infection. Thus we caution you
against opening any attachments unless they are expected, and then
only when your anti-virus protections are in place (see below).
Unfortunately, even opening attachments that appear to be from a
known source will not always protect you, since it is easy to "forge"
the sender's name in e-mail.
(While MIT continues to block "executable" attachments at the central
mail hubs, the Mydoom virus can be carried in other types of
attachments, including those of file type .zip -- a common file
compression file type - which are not blocked. For more on our
current approaches to e-mail attachment blocking, please see
http://web.mit.edu/services/mail/attachments.html )
----------------------
Anti-Virus Software
----------------------
In conjunction with being careful with attachments, you should make
sure that your anti-virus software is installed and configured
properly (our recommended anti-virus solution is McAfee's). We
strongly encourage choosing the automatic DAILY update option for
virus definition files.
McAfee has released anti-virus definitions file version 4319, which
will identify any incoming Mydoom messages, and you can direct these
messages to your trash. Obtain the latest McAfee / Network Associates
virus definitions (version 4319 or higher) from:
http://www.networkassociates.com/us/downloads/updates/
----------------------
KaZaA
----------------------
In order for the second infection method to succeed, you would need
to be running the KaZaA file-sharing software. To reduce the risk of
being infected in this manner, shut off the KaZaA software
completely, and scan your machine for infection with anti-virus tools
(above).
GET HELP
----------------------
We do not yet have tools that can reliably clean up machines infected
with this new virus. If your machine becomes infected, it is likely
not reliable to use, and may require format, re-install and restore
from pre-infection backups of the computer before it is again
reliable for your use.
If you should have any questions about this advisory or need help
with anti-virus software, please contact the Computing Help Desk at
x3-1101, or by sending e-mail to <computing-help@mit.edu>.
Tim McGovern
Information Services & Technology
Client Security Services
_______________________________________________
Security-fyi mailing list
Security-fyi@mit.edu
http://mailman.mit.edu/mailman/listinfo/security-fyi
