Arizona State University Information Technology: Computer Security Security Home Arizona State University
Security Alerts
Security Alerts

IT Security Alerts

May 19, 2006
Microsoft Word Warning
A new virus was discovered this morning that takes advantage of a flaw within Microsoft Word.

The exploit is in the form of an email attached Microsoft Word file. When the document is launched the vulnerability is triggered to drop a backdoor with rootkit functionality that hides it from anti-virus scanners. Microsoft Word then shuts down with errors. The vulnerability cleans the Microsoft Word document and shuts down. The user is then able to open the document on the second try but the machine is now infected. These documents look very real from internal sources.

  • Please do NOT open unexpected email attachments
  • McAfee appears to be picking up the vulnerable documents if heuristics is enabled
  • Have your updates configured to check every couple of hours for new versions of the virus definitions

Some links for reference:

February 23, 2006
Safari Warning
A new security vulnerability was found in the Apple Safari web browser program that comes with Apple Mac OS X. The default configuration of Safari allows the program to automatically open ‘safe‚ files after downloading. Because of the default configuration and issues with how the Safari program and Mac OS X determine which files are safe; the Safari program may execute arbitrary shell commands. An unauthenticated attacker could remotely execute arbitrary commands with the privileges of the user running Safari, thus resulting in complete control of the machine if the user is an administrator.

Unfortunately there is not a patch for this issue. However there is a workaround:

Disable the option to “open safe files after downloading”

  1. Open the Safari web browser.
  2. Go under the Safari menu to Preferences. (see screenshot)
  3. Uncheck the Open “safe” files after downloading. This will remove that option. (see screenshot)

January 31, 2006
Worm Warning
Blackworm, Nyxem, MyWife, Tearec, Kama Sutra are the names associated with the latest worm to hit the Internet. The worm has a very dangerous payload:

  1. Disables and removes the anti-virus software installed every hour
  2. Deletes all files of type DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP that are found on all connected drives (local and network) on the 3rd of every month.
  3. Propagates through email attachments and network shares.
  4. Emails itself using a variety of names and extensions.
  5. Adds itself to the auto-start programs in the registry.

Protect your computer by having the latest anti-virus definitions installed; definitions installed after January 23rd. Scan your machine once the new definitions are installed.

NOTE: If the machine is infected before the virus definitions have been installed the computer will need to be rebuilt from scratch.

Removal Options:

Anti-virus vendors and Microsoft have options for removal of this worm. The most common vendors are:

However, there are a couple of reasons to rebuild the computer from scratch:

  • BlackWorm uses the same methods as several other viruses/worms. It might not be the only virus/worm on your machine. The removal methods above will only remove this worm.
  • BlackWorm allows remote access to your computer. Additional virus/worms may have installed via this backdoor.

If you need assistance or have any questions, please contact the IT Help Desk at 480-965-6500.

August 19, 2005
Zotob Worm
The "Zotob" worm which has been in the news this week has infected a large number of hosts on the ASU network and is continuing to spread. The large amount of traffic that is being generated by the infected hosts is severely impacting network performance in some sections of the ASU network.

In an effort to reduce network impact and help prevent spread of the worm, ASU Information Technology has begun to disable ports to which infected machines are connected. If your port is disabled due to infection, the virus will need to be removed before it can be reconnected to the network. Contact the IT Help Desk at (480) 965-6500, once your machine has been cleaned, to have the port re-enabled.

Note: If an infected host is connecting through an unauthorized Ethernet hub, all hosts that are attached to the hub will lose network access until the infected host is cleaned.

Please check the following URL's for additional information:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx or http://vil.mcafeesecurity.com/vil/content/v_135491.htm.

December 3, 2004
Spyware Security Threat
A new computer security threat in the form of spyware has been identified on campus from a company called MarketScore. This software runs at startup of the computer and collects information entered into on-line forms as well as re-routing all web traffic from the computer through MarketScore proxy servers which give the company the ability to view all information sent to/from a user’s web browser including traffic that would normally be protected by https/SSL encryption. The information that can be collected through secure connection includes userid/passwords, social security numbers, credit card information, etc. The most likely way the software is installed is through a file sharing software called iMesh.

To protect ASU systems from this new spyware, all MarketScore address ranges will be blocked coming into the ASU Data Center tonight (12/3/2004).

It is recommended to uninstall the software from the computer and change all your passwords:

  1. Remove the spyware and restore normal functionality by following this process.
  2. After removal of the software, change all passwords that might have been entered on the computer.

If you need further assistance, please contact the IT Help Desk at 480-965-6500.

July 30, 2004
Internet Explorer Security Patch Released
Microsoft released a security patch for Internet Explorer (IE) today. The patch fixes vulnerabilities within IE that could allow an attacker to take control of the local computer. Run Windows Update to apply this latest patch (http://windowsupdate.microsoft.com). More...

May 5, 2004
Sasser Worm & Microsoft Security Patches
This weekend a new virus/worm was released onto the Internet called Sasser. This worm does not require an email to be sent nor opened on the target machine to infect. The only requirement for infection is that the target machine does not have the latest Microsoft patches installed. The worm does not have a harmful payload but will require significant time to remove.

ASU encourages all faculty, staff, and students to run Windows Update (https://windowsupdate.microsoft.com) and install the Critical Updates and Service Packs for their Microsoft Windows operating systems.

Apr 16, 2004
Microsoft Security Patches
Tuesday afternoon Microsoft released several security patches for the Windows operating systems. These patches address several critical security holes in the operating systems.

If you are infected and need assistance with removal please call the IT Help Desk at 480-965-6500.

Security Announcements

Jan 30, 2006
Wireless Access Goes Campus-wide With Guest Access
Campus-wide wireless networking implementation is ongoing, with the next phase to be completed in February. All ASU campus locations (Tempe, West, Polytechnic) will have a new wireless network SSID (asupublic). This new ID will provide access for guests and ASU users. The new process does not require the MAC address registration that is currently in place but systems are checked once each day when they come on the wireless network for vulnerabilities. Guest users will be provided with Internet access. ASU users will have access to ASU resources and the Internet. Both users’ types will be able to use VPN. Select the wireless configuration as the asupublic network, then open a Web browser to log in. For questions contact the IT Help Desk at (480) 965-6500. More information is available at the ASU Wireless Web page.

January 8, 2005
Wireless Users Have New Login
Beginning Jan. 9 campus wireless users will see a new logon process when connecting to ASU's computing network in selected areas of Tempe Campus. The computer owner will open a Web browser and complete an automatic safety scan before being connected to the network. A MAC address registration will not be needed for connection. Guest users will have access limited to selected VPN service, and HTTP and HTTPS Web browsing. This is a pilot program for the rollout of university-wide wireless Internet coverage. Areas on campus still covered by existing wireless access will continue to be accessible only with computers with registered MAC addresses. Signage will be posted in the locations where the pilot program is underway: the current indoor and outdoor wireless areas for the Memorial Union, Hayden Library, W.P. Carey School of Business (BA/BAC), and Administration A and B. Contact the IT Help Desk with questions at 480.965.6500.

August 9, 2004
Perfigo Security Added To Residence Halls And Brickyard
A new scanning & network access system called Perfigo is being added this semester in the ASU Residence Halls and Brickyard Artisan Court. This new system is for your security as well as for ASU Network security and performance.

Mar 12, 2004
Change in FTP Service Made
On Dec. 19, ASU completed the transition to Secure FTP. Unsecured FTP connections will no longer be allowed to connect to IT UNIX resources.

© 2006 ABOR — Last Modified Friday 20 October 2006