NOTICE: Click here for questions regarding Webshield.

DOWNLOAD The latest McAfee Superdat file from the DAT File Download Page.

The Following page contains info about recent e-mail viruses which are considered dangerous. Client Services has already posted virus scan updates for the viruses mentioned below.

• W32/Zotob (variants)
• W32/Nimda@MM
• W32/Apost@MM
• W32/Sircam
• W32/Magistr
• W32/Hybris

These viruses are considered dangerous, and caution should be taken with all e-mail attachments. Users should take the time to update their virus definitions, which can be found at http://ots.iit.edu/software/downloads/mcafee/updates.php

In addition to keeping your anti-virus software up-to-date, OTS strongly recommends that you regulary use Windows Update to install critical system updates released by Microsoft. The easiest way to do it is to configure Windows to automatically update the system.

You can obtain information on how to do this at the following link:
http://ots.iit.edu/howto/windowsupdate/

To read additional information regarding the latest security patches you can click on the below link:
http://www.msnbc.msn.com/id/6936372/

To read additional information and configure Windows to automatically update, you can go to the following Microsoft link:
http://www.microsoft.com/security/bulletins/automaticupdates.mspx

W32/Zotob (variants)

What it looks like: The virus spreads by mass mailing itself via the SMTP engine and other means. It may allow the attacker to control the victim's machine via relay chat connections. It exploits the MS05-039 vulnerability. It makes changes to the system registry that look like this:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "WINDOWS SYSTEM" = per.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "WINDOWS SYSTEM" = per.exe 
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess "Start"  = 4 (default is 3) 
          

Where the "per.exe" file could be something else, such as "botzor.exe", "csm.exe", "wintbp.exe", "windrg32.exe", and perhaps others.

The virus is also known to make a different registry key modification:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "wintbp.exe" = wintbp.exe
          

What it does: It can cause denial-of-service on the infected machine, block access to anti-virus websites, and spread itself by either mass mail or by scanning the network for other vulnerable machines on port 445, 33333, and other ports.

What to do: Please follow the instructions on this page.

W32/Nimda@MM

What it looks like: The virus spreads in many different ways. It spreads via e-mail, open file shares, and vulnerabilities in Microsoft Internet Information Services. Users should be cautious of e-mail attachments, as the virus attachment could be automatically generated from the infected computer of a trusted source.

What it does: The virus spreads via e-mail, sending infected e-mails to addresses gathered from messages and address books. In addition, it attempts to create shared network folders and enables guest access to files and folders normally protected for system administrators. It also spreads to attempt to find vulnerable Internet Information Services to further spread the virus. It appears as though the goal of the virus is to create large volumes of Internet traffic to make computer networks virtually unusable.

What to do: All users should update their virus protection immediately to the latest version. Also, users who may be running Internet Information Services will need to update their systems with the patch from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

W32/Apost@MM

What it looks like: The virus comes in as a message with the subject "As per your request!" and with "readme.exe" as an attachment. Infected computers automatically generate this virus message, so it may come from a normally trusted source.

What it does: So far, there have not been reports of any damage to personal computers caused by the virus, but the full effects may not be entirely known. It does, however, send infected messages to the user's entire Outlook Address Book, and so users are asked to use caution with e-mail and attachments to prevent infection.

W32/Sircam

What it looks like: Comes in as a message from a known source, with a text that will contain one of the following messages:

Hi. How are you? I send you this file in order to have your advice
OR I hope you can help me with this file I send
OR I hope you like the file that I sendo you
OR This is the file with the information that you ask for See you later. Thanks

What it does: Searches the "My Documents" folder for certain types of files (.gif .jpg .pdf .ps .zip and others) and sends infected copies of the files to address book recipients.

W32/Magistr

What it looks like: Comes in as a message from a known source, with text taken from previous e-mails from the sender.

What it does: Gathers addresses and text from e-mails stored on the user's machine, as well as address book files, and uses these to create new messages to spread. Also contains a payload that may destroy hard disk sectors

W32/Hybris

What it looks like: Comes as a message from hahaha@sexyfun.net with a subject "Snow White and the Seven Dwarfs - The REAL Story!"

What it does: The virus collects the names of people to whom you send mail, and attempts to send a copy of itself to the mail recipients.

Contact Info:

If you have any questions and/or need assistance, please contact the OTS Support Desk at 312-567-3375.

Anyone who thinks they may have a virus, or needs assistance in protecting themselves from these viruses, should e-mail
virus.info@iit.edu or call the Client Services Helpline at x75267