Latest Virus & Security Threats and Recommendations 

The site provides useful information on the latest virus-related and security threats discovered, and the recommendated solutions.

Disclaimer:
CITS does not assume responsibility for any advice or information given and therefore not responsible for any damage caused by software on this page. All opinions presented herein should be weighed against your own circumstances. It is up to you to determine if the advice is suitable for your own situation.

IT Security Recommendations

Virus Alert - New Mass Mailer Worm W32/VBMania@MM[Mcafee] or W32/Visal.B[Microsoft] using the social engineering technique called URL obfuscation to trick user to launch a malicious SCR file. Copying itself to local drive and network shares. To remove, click Mcafee Standalone Stinger VBMania virus cleaner. 

Fraud email scams and phishing is a social engineering technique used to fool email user that pretends to be from a company or bank like eBay, CITIBANK, OCBC etc. and asks the victims to enter details of account data to a fake websites. Therefore, tricking the victims into thinking that they are logging to a real website. Fraudsters will steal identity and personal information to gain access to victim's accounts or commit crimes using victim's persona.

What are the tell-tale signs and the tricks used in a scam?  What are the tips to protect oneself? Read more on an advisory to spot a scam from SINGCERT.

 

Software misconfiguration is one of the most common reasons for security breaches. You can use the MBSA to detect common configuration errors on Windows 2000, XP, Server 2003, VISTA, Server 2008 or Windows 7 either on 32 bits or 64 bits machines to determine whether critical security updates are missing.

The tool will perform verification of the password strength and the host-base firewalling on the Windows OS. Download MBSA 2.2 tool to assess your 32 bits computer's security health if the following software is installed.

  • Microsoft Windows 2000,XP, 20003, VISTA, 2008 and Windows 7
  • Microsoft Office XP, 2002, 2003 and 2007
  • Microsoft Exchange 2000, 2003 and 2007
  • Microsoft SQL Server 2000 SP4 and SQL Server 2005

For security assessment on 64 bits machine, use MBSA 2.2[64bit] tool.

Read detail information on supported product and components and FAQ for information on its usage.

For the following legacy product support, Microsoft has endorsed vulnerability assessment tool from Shavlik. Download NetChksetup5.9.0.145.exe to assess vulnerability on the following installed software.  

  • Microsoft ISA server 2000, ISA Server 2004
  • Microsoft FrontPage Server Extensions 2000/2002
  • Microsoft Visual Studio.Net 2002/2003
  • Microsoft Office 2000
  • Microsoft Exchange 5.0 and 5.5
  • Microsoft SQL Server 7.0 and SQL Server 2000 with Service Pack 3a (SP3a)
  • Microsoft Content Management Server 2001 and Content Management Server 2002
  • Outlook 2003 with Business Contact Manager
  • SharePoint Team Services 2002 (STS)
  • Windows SharePoint Services (WSS)
   
 

Have you turn on the Windows Firewall or ICF that come with Windows XP, Vista & Windows 7 to protect against illegal intrusion from the virus infected computers or hackers? Read more for an understanding of the Windows host base Firewall and the need for Anti-Virus software and Spyware.

   

No Anti-Virus software to identify, thwart and eliminate computer viruses, spyware and other malicious software on your Windows XP/Vista or Windows 7? Download the Microsoft Security Essentials Anti-Virus or AVG Anti-Virus to protect your system.

How do you recognize and avoid Spyware?  Read the security tips to remain vigilant.

   

 Click web-based Trend Micro on-line scan to verify your system is free from viruses, worms,Trojans and spyware.

Alternatively, use Microsoft Windows Live safety scanner to perform security scan and on-demand PC health.

   

Microsoft Malicious Software Remover-32bits & Malicious Software Remover-64bits  (version 3.4 covers all known variants as of 10th Aug 2010) 
Suspect that your PC has been infected? This Microsoft tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. For Windows XP/Me users please disable your System Restore before use.

   
Alternatively, you may also download and run the McAfee Stinger  to check your PC for viruses (version v10.1.0.1028 covers all known variants as of 9th Sep 2010).
Subscribe Now  Get first-hand updates on Virus Alerts from CITS by e-mail. If you're running Windows OS, you may wish to sign up for Microsoft Security Update newsletter as well 
[Back to Top]

 

Windows Security Updates 

 

Windows Security Update (2 Aug 2010) - Microsoft announce vulnerabilities that Allow Remote Code Execution.

  • Windows Shell, SChannel, XML Core Services, MPEG Layer-3 Codecs, IE, SMB Server, Cinepak Codec, Microsoft Office Word, .Net Common Language Runtime and Silverlight

Vulnerabilities that Allow Elevation of Privilege

  • Windows Kernel, Kernel-mode drivers, Movie Maker, Office Excel, TCP/IP and Tracing Features for Services.

Affected Windows OS - Windows XP, 2003, VISTA, 2008 and Windows 7

Windows Security Update (31 Mar 2009) - Security watchdog has issued a warning to take precautions against a fast-mutating malicious computer program that will strike on Wednesday 1st April 2009. The Conficker or Downadup worm infect Microsoft Windows system from a thumb drive, a network share or via the network if a computer is not install with the Microsoft MS08-067 patch. Read detail from Microsoft.

  • Block access to the security sites such as Microsoft, Symantec, Mcafee, f-secure.
  • Disable service such as Microsoft  Windows update and Windows Defender, Background Intelligent Transfer Services.
  • Accounts may be locked out.
  • May flood the network with connections.
  • Access to security related sites are block. Windows update service and Windows Defender disabled.
  • Traffic on port 445 on non-Directory Service.
  • No access to Admin Shares.
  • Presence of unusual file permission on the System32 folder or directory after executing the Dir /ah on the command prompt.

Who are at risk?

  •  Have not installed the latest security updates from Microsoft and no antivirus software.
  • If you have file-sharing turned on, the Confiker worm could allow remote code execution and take control of your computer fro malicious purposes.

How to remove Conficker worm?

 

Virus Discovered on Campus and Removal Instructions

Virus on Campus

 Details and Impact Removal Instructions

Exploit-ANIfile.c
(11th Apr 2007)

Risk Rating: High

Find out more from: McAfee or Trend

 

 


 

1. This Trojan may arrive via Internet browser as a specially crafted animated cursor (.ANI) file.

2. It may also be downloaded via a specially crafted HTML email message.

3. It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI)

 

 

1. Apply Patch to resolve the Windows MS07-017 vulnerability

i.Windows XP with SP1 & SP2, click  orr

ii. Windows 2000 with SP4, Click

     [Click  for all other Windows vulnerability update via IE]

2. Click to update Enterprise Mcafee Vscan  8.0 signature, detect and remove the Trojan.

 

Virus on Campus

 Details and Impact Removal Instructions
IRC-Mocbot!MS06-0402
(14th Aug 2006)

Risk Rating: High

Find out more from: McAfee or Trend

 


 

1. The worm will look for unpatched system of Windows MS06-040 vulnerability by performing port scanning on TCP 139 (netbios) and 445 (microsoft-ds) therefore causing Denial of Service Attack.

2. The network-aware worm will open an IRC back door on the compromised computer and will drop a file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory

3. TCP 18067 connections to bbjj.househot.com or ypgw.wallloan.com

 

1. Apply Patch to resolve the Windows MS06-040 vulnerability

i. Windows 2000 with SP4, Click

       or

ii. Windows XP with SP1 & SP2, click

[Click  for a complete vulnerability scan of the windows OS]

2. For detection of the worm, click to update Mcafee Vscan  8.0 signature.

Virus on Campus

Details and Impact

 Removal Instructions

W32/Sober.p@MM
(30th June 2006)

Risk Rating: Medium

Find out more from: McAfee or Trend

 


 

1. This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It extract addresses from local files and use it for "From:" field therefore creating a spoofed email message.  

2. It uses social engineering techniques supposedly sent by the soccer organization FIFA. Informing recipients that they won tickets for the upcoming FIFA World Cup 2006 in Germany.

1. Use the latest AV signature file.

    Click to update Mcafee Vscan  8.0

    or higher

 OR

2. Download the Symantec removal  tool   

 

Virus on Campus
Details and Impact Removal Instructions

MS ASN1 Integer Overflow TCP
(17th Mar 2006)

Risk Rating: High

Find out more from: McAfee or Norton

 

 

A critical vulnerability in Microsoft's ASN.1 library allows an attacker to overwrite heap memory with data thus allowing the execution of an arbitrary code. ASN.1 is an industry standard used in a variety of binary protocols, and as a result, this flaw in Microsoft's implementation can be reached through a number of Windows applications and services.

Patch the computer with the MS04-007 Security Update to block access via the Exploit or backdoor. 

MS04-007 WXP SP1  

Important: Windows XP users must install Service Pack 2(SP2) which c/w host base Firewall plus a reputable AntiVirus software

i. Click WXP SP2  to install Service Pack 2 and

ii. Click  updates for other newer patches.

 

Virus on Campus
Details and Impact Removal Instructions

W32/MyWife.d@
MM!M24
(3rd Feb 2006)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

W32/MyWife.d@MM!M24 is a
mass mailing virus. It has the
ability to spread through open network shares, attempts to
lower security settings and
disable security software as well
as overrides files on the third of every month. It harvests
addresses from local files and
then uses the harvested addresses to send itself.  This produces a message with a spoofed "From" address.

1. Use the latest AV signature file.

    Click to update Mcafee Vscan  7.x or higher

 2. Download the Symantec removal tool  .

Virus on Campus
 Details and Impact Removal Instructions

W32/Sober@MM!M681(24th Nov 2005)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

W32/Sober@MM!M681 is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the harvested addresses to send itself. This produces a message with a spoofed From address. The attachment arrives in the form of a .zip file that contains an executable file. The sample mail,

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important: Please answer our questions!The list of questions are attached.

Yours faithfully,

Steven Allison

*** Federal Bureau of Investigation -FBI-

 

1. Use the Mcafee Virus defination 4635Dat and 4400Engine or higher for detection and removal. To update virus signature/scan engine, select VirusScan7.x

or

2. Download a stinger removal tool to a floppy disk and scan the infected system

or

3. Download the vulnerability assessment and removal tool

 

Virus on Campus
 Details and Impact Removal Instructions

W32/IRCBot.worm(17th Aug 2005)

Risk Rating: High

Find out more from: McAfee or Norton

 

This Internet Relay Chat (IRC) bot worm will cause a continual reboot of an un-patched system with MS05-039 vulnerability

It has ability to spread via the network by exploiting systems which are not yet patched for the MS05-039 vulnerability. Once a system is infected, this worm is designed to contact a remote IRC server and wait for further instructions.

 

Disconnect your computer from the network

  1. Apply the vulnerability patch.
  2. Download a stinger removal tool to a floppy disk and scan the infected system
  3. Once the worm had been removed, reboot and connect the computer to the Local network
  4. Apply the MS05-039 patch for

          Select accordingly

          i.  WinXP SP1 or SP2

          ii. Win 2000 SP4

          iii.Win 2003  

 

    6.   Update all OS vulnerabilites.  

    7.   Update Mcafee Vscan 7.x or 

          higher

Important:For Windows XP/Me   users please disable your System Restore first before removing the infected files.

 

Virus on Campus
 Details and Impact Removal Instructions

W32/Netsky.ag@MM worm and its variant
(15th Oct 2004)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

- Mass-mailing worm

- the From: address of messages is spoofed

- contains its own SMTP engine to construct outgoing messages

- harvests email addresses from the victim machine

- Network and P2P propagation. The worm copies itself to local folders containing string share or sharing , network shares and P2P shared folders

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address

How do I know that I've been infected?
When run, the worm displays a message box with the warning

 

1.Campus computers with Mcafee Enterprise Vscan 7.x or higher, click to update  VirusScan7.x  signature/engine to the latest. 

2. Disconnect the network point

3. Scan the computer with the latest virus signature/scan engine update

4. Reboot and reconnect the network

For Windows XP users please disable your System Restore first before removing the infected files

 

Virus on Campus
 Details and Impact Removal Instructions

W32/Bagle.az@mm worm and its variant
(29th Sep 2004)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

- Mass-mailing worm

- in the From: address of messages is spoofed

- contains its own SMTP engine to construct outgoing messages

- harvests email addresses from the victim machine

- contains a remote access component. Infected computer will listern on the network via TCP port 81 and a random UDP port 

- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

 

Mcafee Anti-virus software is capable of detecting and removing the virus with the latest update.

1.Campus computers with Mcafee Enterprise Vscan 7.x, click to update VirusScan7.x signature/engine to the latest. 

or

Download the Mcafee Stinger

2. Disconnect the network point

3. Scan the computer with the latest virus signature/scan engine update

or

Using the Mcafee Stinger to scan the computers.

4. Reboot and reconnect the network

For Windows XP users please disable your System Restore first before removing the infected files
 

Virus on Campus
 Details and Impact Removal Instructions

W32/Mydoom.y@mm worm and its variant
(20th Sep 2004)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

 

 

 

 

 

 

 

 

 

 - mass-mailing worm constructing messages using its own SMTP engine

- harvests email addresses from the victim machine

- spoofs the From: address

- drops a downloader trojan and a keylogger trojan

- downloads BackDoor-CEB.d over HTTP 

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Sample virus infected email:

Dear user xxxx@ntu.edu.sg,

We have found that your e-mail account was used to send a huge amount of spam messages during the recent week. Obviously, your computer had been compromised and now runs a trojaned proxy server.

We recommend that you follow the instruction in the attached file in order to keep your computer safe.

Virtually yours,

ntu.edu.sg technical support team.

 

1. Disconnect the infected computer from the  network.

2. Scan the computer with Mcafee Stinger

3. Update your anti-virus signature/scan engine to the latest. Perform another scan on your computer with the updated signature.

4. Reboot and reconnect the network

For Windows XP users please disable your System Restore first before removing the infected files

 

 

 

 

 

 

 

 

Virus on Campus
 Details and Impact Removal Instructions

Exploit-MS04-028 / Bloodhound.Exploit.13 (17 Sep 2004)

Risk Rating: Critical according to Microsoft

Find out more from: McAfee or Norton

Note: Exploits on the OS or Applications are potential backdoors used by Hackers to gain access illegally to the System and to execute codes planted in the system. 

 

 

 

 

 

 Buffer Overrun in JPEG Processing (GDI+) could allow Remote Code Execution

eg. of code execution

i. Spoofed & Mass mailing

ii.Denial of Service attack on a host, web sites or network due to the large number of packets it sends.

iii.Keylogger to steal Password

iv.Port scanning on other hosts to propagate the infection

Microsoft affected Software:

i. WinXP SP1 or earlier (WinXp2 is not affected)

ii.Office 2002 & Office 2003

iii.IE SP1. Click for System Requirement 

iv.Microsoft .Net Frameworkv1 SP1

v.Microsoft .Net Frameworkv1

Patch the computer with the MS04-028 Security Update to block access via the Exploit or backdoor. 

i. MS04-028 WXP SP1  & W2003

ii.MS04-028 Office XP2 & Off XP3

iii.MS04-028 IESP1  

iv.MS04-028 .Net Frameworkv1 SP1

v.MS04-028 .Net Frameworkv1 

 

 

 

 

Virus on Campus
 Details and Impact Removal Instructions

W32/Sdbot worm
(24th Jul 2004)

Risk Rating: Medium

Find out more from: McAfee or Norton

 

Propagate via the network and  spreads by exploiting the Microsoft OS vulnerability MS03-026, MS03-007 and MS04-011

The worm scans random IP addresses and try to connect to the "C$" and C share. It will use Administrator, Owner or Guest account to get connected to the shares.

Please ensure that all user accounts come with strong password. Unused password such as "guest" must be removed.

Remove all user created network shares . Remove unused system shares such as c$, d$, ADMIN$, IPC$

 

1. Disconnect the infected computer from the  network.

2. Scan the computer with McAfee Stinger 

3. Patch the computer the Security Update downloaded on a CD for XP or W2K

i. MS03-026 WinXP  & W2k

ii.MS03-007 WinXP  & W2k

iii.MS04-011 WinXP  & W2k

4.Reboot and reconnect the computer to the network. Update the Anti-virus signature/scan engine to the latest

For Windows XP users please disable your System Restore first before removing the infected files

 

Virus on Campus

 Details and Impact

Removal Instructions

W32/Sasser worm
(6th May 2004)

Risk Rating: Critical

Find out more from: McAfee or Norton

 

 

 

 

 

 

Propagate via the network and  spreads by exploiting a Microsoft OS vulnerability [MS04-011]. 

It will cause an infected computer to shutdown.  

The worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9995 or 9996. It scan on the destination port TCP 445.

1. Disconnect the infected computer from the  network.

2. Scan the computer with McAfee Stinger 

3. Patch the computer with the Security Update downloaded on a CD for XP or W2K

i. MS03-026 WinXP  & W2k

ii.MS03-007 WinXP  & W2k

iii.MS04-011 WinXP  & W2k

4.Reboot and reconnect the computer to the network. Update the Anti-virus signature/scan engine to the latest

For Windows XP users please disable your System Restore first before removing the infected files

Virus on Campus

 Details and Impact

Removal Instructions

W32/Sober.f@mm (5th Apr 2004)

Risk Rating: Medium

Find out more from: McAfee or Norton

This is a mass-mailing worm, spreads by stealing email addresses from the infected computers, spoofing or forging the "from: field".

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address

Use the Mcafee Virus defination 4347Dat files or higher for detection and removal. To update virus signature/scan engine, select VirusScan 4.5.x or VirusScan7.x and click Open. Check Anti-Virus version

or

Download and run the Mcafee Stinger to check or remove this virus from your PC

or

Download the Symantec removal tool  . Important:For Windows XP/Me users please disable your System Restore first before removing the infected files.
 

Virus on Campus Details and Impact

Removal Instructions

W32/SQLSlammer
.worm
(12 Mar 2004)

Risk Rating: Critical

Find out more from: McAfee or Norton

 Worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000 . The worm sends 376 bytes to UDP port 1434 which is the SQL Server Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.

1. Download the vulnerability assessment and removal tool

2. Once the virus is removed: 

a. if running  SQL 2000 download this service pack to patch your PC (Microsoft)

b. if running  Mircosoft Desktop Engine 2000 i.e. MSDE, download this service pack to patch your PC (Microsoft)
 

Virus on Campus Details and Impact

Removal Instructions

W32/Netsky@mm

Risk Rating: Medium

Find out more from: McAfee or Norton

 This is a mass-mailing worm that copies itself to folders named "share" or "sharing" on an infected system and opens a backdoor on TCP port 6789. It spreads by stealing email addresses, spoofing or forging the "from: field". The worm tries to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host computer. Start a DOS attack on a certain site.

Upon infection, W32/Netskyk.e@MM will also spread via P2P programs like KaZaa, Bearshare and Limewire that use shared folder names containing the words "share" or "sharing"
 

Download and run the McAfee Stinger to check or remove this virus from your PC

or

Download the Symantec removal tool  . For Windows XP/Me users please disable your System Restore first before running this tool. 

Virus on Campus Details and Impact

Removal Instructions

W32.Beagle@mm

Risk Rating: Medium

Find out more from: McAfee or Norton

 This is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. The virus also attempts to spread across file-sharing networks, such as Kazaa and iMesh, by dropping itself into the directories that contain "shar" in their names. 

The spoofed email with attachment can be a password-protected zip file, with the password included in the message body

Download and run the McAfee Stinger  to check or remove this virus from your PC

or

Download the Symantec removal tool  . For Windows XP/Me users please disable your System Restore first before running this tool. 

 

Virus on Campus Details and Impact

Removal Instructions

Buffer Overrun In RPCSS Service for Windows XP, 2000, NT and 2003 
(10 Sep 2003)

Risk Rating: Critical

Find out more from: Microsoft

 Microsoft has issued warning of a new critical security hole called Buffer Overrun In RPCSS Service  in its Windows operating system. This affects Windows XP, 2000, NT and 2003 machines that could allow an attacker to gain control over a computer, delete data and install unwanted programs - similar to the attacks by the W32.Blaster.Worm and W32.Nachi / Welchia worm
 

Please do a Windows Update to patch this vulnerability.

Windows 95, 98 and ME are not affected by this vulnerability.

[Back to Top]

Printer-friendly | Send to a friend