University of Michigan - Flint

Information about the Microsoft Word Virus Attack can be found in the ITS Blog.

From: Maiser@list.flint.umich.edu [mailto:Maiser@list.flint.umich.edu] On Behalf Of ITSHelpDesk
Sent: Wednesday, August 17, 2005 11:10 AM
To: umf_fac_staff@list.umflint.edu
Cc: umf_students@list.flint.umich.edu
Subject: Microsoft Windows 2000 Worm

Dear Campus Community,
As many of you may already know, a new worm was released into the computing world within the last 24 hours.  This worm primarily affects computers running Microsoft Windows 2000.  To learn more about the worm, you can click on the following link:

http://virusbusters.itcs.umich.edu/

ITS prepared for this issue last week when we patched our servers to prevent any problems to the network and/or desktops.  At U of M Flint, few desktops run Windows 2000, those that do should have already received the patch from our Update Server.  Just to be safe, if you are currently using a desktop running Microsoft Windows 2000, please reboot your computer to make sure the updates have been installed properly.  If you are running Microsoft Windows 2000 at home or on a laptop and need to update your system, you can access the Windows update site at the following link:

http://www.windowsupdate.com

ITS will have cd’s containing McAfee, Spybot, and Adaware programs available for faculty, staff,  and students starting tomorrow afternoon.  There will be a very limited supply, so only 1 per customer please.  If you have any questions, please contact the ITS Helpdesk at 766-6804.

 

From: Storch, Melissa On Behalf Of ITSHelpDesk
Sent: Thursday, June 02, 2005 2:57 PM
To: Allusers
Subject: Be aware of fraudulent emails: *DETECTED* Online User Violation
Importance: High

 

Dear University of Michigan - Flint users,

Please be aware that the below email message claiming to be from administrator@umflint.edu did not originate from anyone in the ITS department.  If you receive this or an email similar to this, do not click on any links or open any attachments included with the message.  ITS will never send a vague inference of violations with instructions to view an attachment for details.

This is the result of a computer virus on a computer somewhere on the Internet that is spoofing who it is from to try and get you to run the attachment which contains the virus (W32/Mytob.bf@MM ). For more information about email spoofing and phishing, please see our What is Spam flyer located http://www.umflint.edu/its/helpdesk/flyers/spam.htm . 

In most cases, our email server automatically removes the infected file, so you should not become infected by using our email system.  However, for new viruses it may take 24 hours or more to be automatically detected by a virus scanner. So, never attempt to open or save these attachments.  Your home email may not automatically remove viruses from attached files.  For more instructions on using Anti-virus Software, please see Quicknote #26 - http://www.umflint.edu/its/helpdesk/quicknotes/QN26.htm .

Remember, never attempt to open or save the files attached to suspicious emails.  If you have any questions, please call our ITS HelpDesk at (810) 766-6804 or email at ITSHelpDesk@umflint.edu.

Thank you,

Melissa Storch
Information Technology Services

--------------------------------------------------------------------------------

From: administrator@umflint.edu [mailto:administrator@umflint.edu]
Sent: Thu 6/2/2005 6:38 AM
To: XXXXXXX
Subject: *DETECTED* Online User Violation

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

 

From: Conover, Kathleen
Sent: Thursday, December 23, 2004 2:41 PM
To: Allusers
Subject: NEW virus message
Pardon the second message on this topic however; we have had numerous calls and emails with questions regarding where to find the antivirus update for home usage.
Please note that you can always find virus update information by visiting our ITS HelpDesk website.  From there you will find a direct link to the Ann Arbor Virus Busters website.  Note both links are below.

Ann Arbor Virus Buster Site:

http://virusbusters.itcs.umich.edu//vsdl.html

UM-Flint HelpDesk Site (antivirus information):

http://www.umflint.edu/its/helpdesk/support_centers/safecomputing/virus.htm

UM-Flint HelpDesk phone number:
810-766-6804

UM-Flint HelpDesk website:
http://www.umflint.edu/its/helpdesk/

From home, if you use a dial-up connection and have troubles with the home install, contact the ITS HelpDesk on or after January 3rd and the staff can walk you through burning a cd from our servers.  However, please note that you must be on campus to burn this cd.

If you have already installed McAfee version 8 on your campus computer, don’t worry about uninstalling as our servers will recognize it and make any changes if needed. 

Last, if you have a laptop that you use both at home and on campus, bring it to our campus, connect to the network and the install should take affect automatically.  If you do not notice the red splash screen with the new McAfee version 8 logo, call the HelpDesk for assistance on or after January 3rd.

Thank you,

Kathleen Conover

 

From: Conover, Kathleen
Sent: Thursday, December 23, 2004 1:59 PM
To: Allusers
Subject: computer virus updates coming soon
COMPUTER VIRUS UPDATES COMING SOON!
McAfee virus scan version 8 is being installed on all campus computers effective today at approximately 2:30 PM.  If your computer is on at that time, you will not notice any change other than possibly seeing a new McAfee logo screen (red) if you reboot.  If your computer is not on during the install, it will take affect upon start up when you return.

From now on, our server will automatically send updates to your computer as needed.

These changes are taking place in an effort to combat viruses, spy ware, and ad ware.  We have configured campus computers to automatically update whenever they are available.  There is no need for users to specify times/days of the week in order to check for McAfee updates as our servers will do the hard work for you.

Do not be alarmed if you see McAfee alerts showing deleted or quarantined files, this simply means that McAfee is doing the job!  ITS has been testing the new upgrade for the past few weeks and many of us have received alerts almost daily.   Please read the alert information carefully and if you see the words “deleted” or “quarantined” next to the files, simply close the window and carry on with your business.  Again, this is evidence that McAfee is working.

Why are we pushing out the latest version of McAfee?
Recently, we learned of a company named Marketscore which has been promoting accelerated web access in return for all of a person's web traffic being sent through their servers.   Technically, this is known as a web proxy.

Spyware is any technology that aids in gathering information about a person or organization without their knowledge.

Normally, when you are at a web site and about to enter your password or credit card number, you usually look for a little lock which indicates that you have an encrypted connection.  This encrypted connection prevents an eavesdropper from recording whatever it is you send to the web site.  The particular proxy service used by Marketscore permits them to decrypt all encrypted traffic protected by https (SSL) connections and record it for later analysis.

I've attached a news article ( http://www.nwfusion.com/news/2004/1130univestrug.html ) which describes more fully the threat posed by Marketscore and the actions being taken by Universities around the country to combat Marketscore.

We highly recommend that you upgrade your home computer to McAfee version 8, in an effort to protect your home computers as well.

Thank you,

Kathleen Conover
ITS

 

From: Arnst, Scott
Sent: Wednesday, March 03, 2004 4:30 PM
To: Bowman, Trevor
Cc: Allusers
Subject: RE: Dear University of Michigan Flint users
 
Dear user community,
The below email that Mr. Bowman sent (thank you) is another example of a virus. Rest assured that no one in ITS would send such a message and we would certainly not send it from some generic account like "administration".
 
In the event that you had actually done something to violate the universities acceptable use policy (AUP) then we would contact you directly to discuss the matter in person.
 
Virus writers are getting pretty crafty at the "social engineering" part of viruses and they know that users will not open anything unless they think it is important.
 
In our case if you received ANY email through your university email account and it has an attachment called "Replaced Infected File.TXT" then you can safely assume it was an email generated by a virus on someone else's computer and you can therefore ignore it.
 
For more information about virus please visit the following web site:
 
http://www.umflint.edu/its/helpdesk/support_centers/safecomputing/virus.htm  
 
Scott

From: Arnst, Scott
Sent: Thursday, September 18, 2003 4:49 PM
To: Allusers
Subject: FW: Last Microsoft Patch
Importance: High 

If you receive the below message you can rest assured that it is in fact a fake. This is actually a virus that was created today. You will notice that the attachment is called "Replaced Infected File.TXT". This is because our email system scanned the message and found a removed the infected message. If you happen to receive this message on your personal email accounts at home DO NOT run the attached file or you will infect your computer.

So if you receive this email please just ignore it.
 
Scott Arnst
System Administrator III
The University of Michigan - Flint
ITS Department, 207 Murchie Science Building
303 East Kearsley
Flint, Michigan  48502
Phone: (810) 762-3092
Fax:  (810) 766-6805
 

From: Conover, Kathleen
Sent: Saturday, September 13, 2003 1:30 PM
To: Allusers
Subject: New Virus Information-IMPORTANT

Importance: High
Please thoroughly read this entire message as we need your assistance in preparing your computer against potential NEW virus invasions.

 Click here to reveal Table of Contents
Systems that could be impacted
What steps has ITS taken to prevent this threat?
Will you notice the downloads as they may occur each day?
Does that mean that if computers are not on at 7:00 AM, they will not install the updates?
What do you need to do?
What do we do about computers that are not used regularly and may currently be turned off?
Should I follow this process if I have Windows 95, 98, Windows ME or a Mac computer? 
What should you do if you see a popup window telling you about updates during the course of your work day?
Optional directions if you choose to install updates on your own.
 

The National  Cyber Security Division (NCSD) of the Department of Homeland Security (DHS)/Information Analysis and Infrastructure Protection (IAIP) Directorate is issuing the advisory in consultation with the Microsoft Corporation to heighten awareness of potential internet disruptions resulting from the possible spread of malicious software exploiting a vulnerability in popular Microsoft Windows Operating Systems.
 
DHS believes that exploits are being developed. Two additional factors are causing heightened interest in this situation: the affected operating systems are in wide spread use, and exploitation of the vulnerability could permit the execution of Arbitrary code.  DHS is concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to the Blaster Worm.
 
Systems that could be IMPACTED include:
 
Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
 
Please carefully read the questions and answers below.
 
What steps has ITS taken to prevent this threat?  ITS has set up a server that will automatically auto download approved and tested Windows updates on a daily basis for all campus computers.  Your computer will also periodically check for new updates throughout the day.  If a computer is in need of an update, the server will provide it to applicable computers.  In addition to the periodic checks, your computer will automatically install new updates at 7:00AM as needed.  As of now, all computers have already received the new updates to combat the anticipated viruses that could pose a threat to our network in the very near future.  However, if your computer was left on over this past weekend (9/13-14), you will need to shut down and restart.
 
Will you notice the downloads as they may occur each day?  No.  You will NOT have to visit the Microsoft site to do this manually,  the server has been set up to do this automatically.  Your daily tasks will not be interrupted as this will be done "behind the scenes."  If your computer installed an update you will be notified that the install is complete and that you must reboot your computer for it to take effect. You may reboot the pc at your convenience.  It is not necessary to reboot immediately however we do ask that you reboot or shutdown your computer before you leave for the day.
 
Does that mean that if computers are not on at 7:00 AM, they will not install the updates? No. Your computer will be scheduled to install security updates 15 minutes after it is turned on, no matter the time of day -or- at 7:00 AM if your computer is on.
 
What do you need to do?  Please either shut down or reboot your computer one time every day.  You can either wait until you leave for the day (preferred method) or you may do so upon receiving the message that an update has occurred.
 
In addition, please shut down your computer each and every day upon dismissal from work from now on.  A dual purpose is being served in that we are saving energy and activating the updates that will occur whenever new upgrades are installed to the server in the future.  To further conserve energy, on a daily basis please turn off your monitor, printer, scanner, and fax machine if you have these types of equipment in your office. 
 
What do we do about computers that are not used regularly and may currently be turned off?  Our server is set up to identify computers if they do not have updates, so shortly after it is turned on it will automatically download updates and will schedule the updates to be installed at 7:00AM. If it is not on at 7:00AM then it will install the updates 15 minutes after the next time it is turned on.
 
Should I follow this process if I have Windows 95, 98, Windows ME or a Mac computer?  Yes, please shut down your computer upon dismissal from work everyday, but NOT for virus protection purposes at this point, rather for energy savings.
 
 
What should you do if you see a popup window telling you about updates during the course of your work day?
You can ignore the message by clicking on the X and wait for the automated install to take place daily at 7:00 AM -or- you can make an attempt to install the update on your own.   See optional directions below.
 
Optional directions below if you choose to install updates on your own.
 
1.  Your computer may download installs before or after 7:00 AM. If that happens you will see the following popup message.  Feel free to simply click on the X to close this window and allow our system to automate the install.
 
 
2.  You can review and install the updates immediately by clicking on the yellow popup window and then pressing the INSTALL button on the following window:
 
 
3.  You should see a progress meter that will show the progress of the installation.

4.  When the installation is complete you will see a message notifying you to restart  your computer.

 
5.  You can restart your computer then or wait until a more convenient time.
 
 
If you have further questions, please call the ITS HelpDesk at 766-6804.
 
Thank you for your cooperation.

-----Original Message-----
From: Conover, Kathleen
Sent: Tuesday, August 19, 2003 1:19 PM
To: Allusers
Subject: URGENT- VIRUS UPDATE
Importance: High

Please read below for an important message regarding the recent virus attack.

UPDATES-

1.  Instructions were sent out yesterday with "How to clean your PC" in the Subject Line.  Please see below for a repeat of that message, if needed.

2.  ALL users on campus need to follow the instructions outlined in that email.  If you are unable to locate the Word Document that contains the directions, you have the following options:

    a. Call the Help Desk at 766-6804 and they can help you locate the directions on your computer.

    b. Call the ITS front desk at 762-3123 and a copy of the directions can be either faxed or hand delivered to your department. 

3.  The ITS staff will be visiting every office on campus immediately to verify that all of the users have the virus update installed.  We will assist with the installations as needed and will be working for the next 24 hours to complete this task.

4. Once we feel that the majority of computers have the update, we will turn on access to the Internet.  Currently our users from the outside are unable to access our websites.  Therefore, we are working on a temporary solution to at least allow users from the outside to access the Internet.  Our hope is that outside users will be able to access our website within a couple hours.

5.  In the meantime, do not make attempts to access the Internet until you have received an email and or phone message from ITS.  We cannot allow access to the Internet until the majority of the newer computers (not Win 98, 95 or MAC) have the virus update installed.  The directions in yesterday's email are described below on how to install the update.  PLEASE DO THIS IMMEDIATELY and/or tell the ITS representative when they visit your office and they will assist you.

6.  If it the update has already been installed, label your computer by taping a sign to the monitor that states, "Virus Update Installed" .

Repeat of yesterday's message is below:

The technical difficulties we are having today are related to a new virus that appeared this morning. The virus works by installing itself on Windows computers that do not have the latest patches installed (the particular patch that would stop this virus has been available from Microsoft since mid-July). The virus works by scanning all the computers on the network and Internet and seeing if it can find the vulnerability. However in this instance the firewall that we use to protect our network from the Internet specifically blocks the vulnerability. Therefore it has been determined that a computer (most likely a laptop) was used on campus that had been previously infected offsite with the virus and then that computer infected the rest of our computers once it was hooked up to our network.

We have a way for you to clean the virus from your computer. You will find the directions in the "Cleaning Your PC.DOC" Word document located in the Server Applications shortcut on your desktop. You can also open the file by double clicking on "My Computer", double clicking on "Pcpub on 'Umf-eapp\Sys' (L:)", double clicking on the "WIN95" folder and then double clicking on the "Server Applications" folder.

The document contains two sections. The first section is only for installing the update to remove the virus and should be used only if you currently have virus scanning already installed on your computer *. The second section of the document describes how to install virus scan if it is not already installed on your computer.

If you have any problems please contact the ITS Help Desk at 66804

 * If you do not know if you have virus scanning software installed on your computer you can click on your START menu, then go to ALL PROGRAM FILES or PROGRAMS and look for a folder called NETWORK ASSOCIATES. In that folder you should see either VIRUS SCAN or VIRUSSCAN ON-DEMAND SCAN. If you find either of those programs then you have virus scanning installed.

Thank you,

Kathleen Conover

ITS Director