April 17, 2013
Spam Surge

We're seeing a surge this morning in spam that is getting through ISU's initial filters and which may also not be getting caught by your Outlook Junk filter.

The particular spam we're seeing includes a subject referencing 'Boston' or 'the Boston Marathon' and promising to link you to news, video or updates. DO NOT click on these links. Either delete unread or click on them and send them to your Junk folder. These emails will likely be blocked at the university border eventually, but spammers and phishers are always finding new ways to send things through filtering systems so you'll never be completely free from junk email.

We're also seeing a lot of stock and credit spam lately. Deleting and filtering are your best response to these emails.

Posted by dcoates at 09:10 AM
September 24, 2012
More on the Internet Explorer Vulnerability

On September 18th, we sent out information on a vulnerability in Internet Explorer. On Friday, September 21, Microsoft issued a patch for that vulnerability. You should have seen it in an update to your computer either Friday or this weekend.

If you're not sure if you've received an update, you can go to the Start menu...Windows Update...and view your update history (you should see a recent Cumulative patch for IE). Or, to ensure your computer is up to date, select Windows Update...and Check for Updates.

If you have questions about the update, you can contact the Computer Support Hotline at 515.294.1725 or via email at eithotline@iastate.edu

Posted by dcoates at 04:09 PM
September 21, 2012
And Yet More Phishing

Most of you are aware of phishing attempts by now. We've been seeing a few new ones the last week or so and this one in particular, I know went out to quite a few of you:

Your Iowa State Email account has been reported for numerous spams Activities from a foreign ip recently. As a result you may not be able to receive or send new mail.
However, you might not be the one promoting this Spam, as your e-mail account might have been compromised. To protect your account from sending spam mails, You are to confirm your true ownership of this account, Kindly CLICK HERE fill the form and login again.

Failure to do this will violate the ITS Policy.This will render your account inactive.
NOTE!!: You will be sent a password reset message in next seven (7) working days after undergoing this process for Security reasons.
The office of Information Security will keep this updated if information should change, but we encourage all users to run their updates after the expected release of this patch.
Authorised by: Jim Davis,
Vice Provost for Information Technology and Chief Information Officer.

A few things to notice here:

  1. They've gone to the trouble to gather an ISU logo, made it appear that the email is from the Solutions Center, and used Jim Davis's name (CIO for ISU)
  2. However, it's also badly formatted and sends you to a link that isn't at Iowa State (the link for most of you has been removed)
  3. Also, password resets do not work this way on the ISU network
  4. No one should ever store your password except you and the system itself

If you ever have questions about emails like this, don't hesitate to ask the hotline (515.294.1725 or eithotline@iastate.edu).

Posted by dcoates at 11:16 AM
September 18, 2012
Internet Explorer Vulnerability

Many of you have probably seen the warnings in newspapers and news reports about a new vulnerability in Microsoft's Internet Explorer. There have been some identified attacks targeting this vulnerability, but at the present time these attacks do not appear to be widespread. An attacker who is able to exploit this vulnerability would have the same user rights as the current user. Because Extension computers should be operating with power user rights not administrator rights, an attack, if it happens, will have less impact on the computer.

Microsoft is working on a patch for the vulnerability and will be issuing an update shortly.

Things you can do:

  1. Be sure your computer has the latest updates for Windows, Office, and EndPoint Protection (your anti-virus program).
  2. Don't click on unknown links or visit untrusted websites.
  3. Operate your computer as a power user (when you're logged in with your Net-ID) not as an administrator
  4. Be aware of where you are on the web, what links you click on, suspicious emails, etc.

Some people are recommending switching to a different browser for the moment. We do not think the threat warrants that approach at this time, but will update you as the situation develops.

If you have additional questions, please contact the Computer Support Hotline at 515-294-1725 or via email at eithotline@iastate.edu

Posted by dcoates at 11:38 AM
February 21, 2012
More phishing warnings--"Important Notice" spam

We seem to be getting more of these and more clever ones. Last night many of you recieved an email with the following in the body:

Your email account has been reported for numerous spams Activities from a foreign ip recently. As a result you may not be able to receive or send new mail.

However, you might not be the one promoting this Spam,as your email account might have been compromised. To protect your account from sending spam mails, You are to confirm your true ownership of this account by following this link below, fill the form and login again to your webmail...

Particularly insidious, it spoofs the Solution's Center email address as well as a solutions center footer and ISU logo. Needless to say it is NOT from the Solution's Center. Solution's Center staff will never ask you to go to an external site and enter your Net-ID and password.

DO NOT respond to this or similar email. DO NOT input your Net-ID and password into a link that is not on the iastate.edu site (I'm not going to reproduce the link here, but it clearly points to a non-iastate.edu site).

I recommend always going to the site (for example: asw.iastate.edu) directly rather than clicking on a link if you're being asked to put in your Net-ID and password.

If you ever have questions about whether an email is legitimate, please call 515-294-1725 or email the hotline at eithotline@iastate.edu


Posted by dcoates at 09:16 AM
February 06, 2012
Remember: Don't Give Away Your Password

Recently, university IT Services has learned that staff are receiving emails like the following:

Subject: Helpdesk: Upgrade to the New 2012 Mail Server Immediately Date: Sun, 29 Jan 2012 14:13:16 -0700 From: (obscured) To: Undisclosed recipients

Dear Account Owner,
We are currently migrating to Microsoft Exchange 2012 (from Exchange 2003/2011). With the introduction of Internet Explorer 9, Outlook Express has apparently been removed from the installation package on our Message Center. OWA 2012 provides the same conversation view and experience as Outlook 2011: By default, messages are displayed in threads so that all the messages on a particular topic are grouped. Inability to complete information on the form within 48 hours Message Center will render your e-mail in-active from our. Fill information on the Form by clicking on the link below:

(URL removed for security.)

You will receive an e-mail within 48 hours when your mailbox account is moved.
Thank you.
Help Desk
(c)2012. All Rights Reserved

Where the link in the email takes you to an off-campus website where you're asked to enter your NetID, password and other personal information.

Some things to remember:

  1. Important email from EIT and generally from IT Services on campus will come from an individual not 'Help Desk' or 'ISU Support'
  2. You can ALWAYS double-check an email (particularly one you think might be legitimate, but which doesn't have a legitimate staff person's name associated with it) by sending email to eithotline@iastate.edu or calling the Computer Support hotline at 515.294.1725.
  3. NEVER enter your NetID and password on a webpage that's not clearly identified as an extension.iastate.edu or iastate.edu webpage. If you have doubts, type in the URL (for example, exchange.iastate.edu or asw.iastate.edu) directly.
  4. If you feel you've entered your NetID and password on a non-ISU site, change your password immediately. On Windows machines, type Ctrl-Alt-Del and select Change Password. Or go to asw.iastate.edu, login, and select Change Password.
Posted by dcoates at 02:52 PM
April 28, 2010
Update: Des Moines Register Malware Removed

A quick update on the Des Moines Register malware issue reported yesterday. The Register indicates that the problem was an online advertisement that contained malware. That ad has been removed. And the site is considered safe.

More information here.

Posted by dcoates at 09:14 AM
April 27, 2010
Be Aware: Reports of Malware on Des Moines Register Website

According to ISU's IT Services:

The State of Iowa DAS security group sent a security alert out to State of Iowa employees regarding compromised web pages on the Des Moines Register website.

They recommended that all state employees avoid the Des Moines Register website and were blocking access to the Des Moines Register website where possible.

It is extremely likely that this malware will either install Torpig, a nasty banking Trojan, or the familiar Rogue AV software. Both malware products are intended to drain money from the accounts of victims.

Complete information is available here: http://www.it.iastate.edu/news/showitem.php?id=370

We will post an update when we have new information.

Posted by dcoates at 10:52 AM
July 24, 2008
Do Not Open!

Some of you may have seen an email or two coming through in the last few days with the following subject header;

You've received A Hallmark E-Card!

This is a virus. Do not open the attached file.

If you have already opened the attached file, call the hotline for help getting rid of it. As of about 11:30 AM this morning an update had been issued for VirusScan which will prevent the virus from infecting your computer once the new update has been delivered to your computer. If you think you already have the virus, right-click on the VirusScan icon in the bottom right corner of your screen. Select 'Update Now...' Once VirusScan has finished updating, right-click on the VirusScan icon again and select 'On-Demand Scan...' Click 'Start' (button on the right-hand side of the screen).

Some things to keep in mind:

  • Never open an attachment from a sender you don't know
  • E-cards from Hallmark DO NOT come as attachments. A legitimate Hallmark (and most other) e-card will send you to a web page.
  • If you get an attachment from someone and you aren't expecting it (or the email they send with it sounds pretty generic), send them an email and ask if they meant to send you an attachment.

With better virus fighting software, including software that works at the mail server itself, we've seen a huge reduction in the number of virus outbreaks. But as this latest episode proves, you need to stay alert to suspicious emails, because people are still out there looking for new ways to harm your computer.

Posted by dcoates at 01:36 PM
April 20, 2005
VirusScan Made Simple

In February Extension IT solicited offices to test a management framework for VirusScan called ePolicy Orchestrator (ePO). Today I am pleased to report that testing has gone exceedingly well, and we are now prepared to begin deploying ePO to all managed Extension computers (those in the IASTATE domain).

Beginning Friday, April 22, the ePO agent will automatically install on your computer when you log on. The installation is silent; you won't see anything unusual appear on the screen. If needed, ePO will then upgrade VirusScan behind the scenes to version 8.0, the most recent version. From then on, ePO and EIT will keep your antivirus up to date without any intervention from you!

--
Darin Dugan, System Admin

Posted by dddugan at 03:49 PM
February 18, 2005
It's time to simplify antivirus software

We're getting ready to deploy a new antivirus management tool, and we need your help to test it out! The management framework is called ePolicy Orchestrator, or ePO for short. It's by McAfee, the same company that produces the VirusScan you already use. ePO is a tool that helps the IT department keep your computers safe by configuring antivirus definition updates and scans for you, and even by updating the VirusScan application itself. Even better, we will be able to push updates out to you in the event that a critical virus threat is discovered between scheduled updates. Once the management agent is installed, you won't even know it's there.

The long term goal is to have ePO installed on every computer in Extension, helping to ensure a secure environment for everyone. In fact, we have already deployed ePO to about 100 machines without any troubles. But before we go statewide, we would like to do more testing. That's where you come in.

If you're willing to lead the pack and help out IT, shoot an email to dddugan@iastate.edu. However, we need participation to be on an office-wide basis, not just one or two individuals, so make sure everyone's on board. And as always, computers need to meet minimum support standards. As part of the ePO deployment, your computers will be upgraded to VirusScan Enterprise 8.0, if not already running it.

We look forward to hearing from you!
--
Darin Dugan, System Admin
Iowa State University Extension
www.extension.iastate.edu

Posted by dddugan at 01:25 PM
November 02, 2004
At least VirusScan Enterprise 7

If you are running any version of VirusScan less than Enterprise 7, you should update now.

To determine which version you currently have:

  1. Right-click the VShield icon in your task bar
  2. Select About VirusScan or About VirusScan Enterprise
  3. Review the version number and virus definitions created on date

If the version number is less than 7.0.0, you should log on with your administrator account and update through Scout. Version 7.1 is available in the Current section. (Do not use any Scout CDs your office may have; these are outdated.)

If the virus definitions created on date is more than one to two weeks old, you should review your autoupdate schedule. Outdated antivirus software is just as bad as no antivirus software. To review or change the autoupdate schedule:

  1. Right-click the VShield icon in your task bar, select VirusScan Console
  2. Right-click the AutoUpdate task, select Properties
  3. Select daily updates at a time when your computer will be on
  4. OK your way back out and close the VirusScan Console

You can also update your virus definitions at any time (in between scheduled updates) by right-clicking the VShield icon and selecting 'Update Now' from the menu.

For further assistance please contact the Extension IT Support Hotline (515-294-1725).

Posted by dddugan at 03:21 PM
May 04, 2004
Sasser Worm is circulating

As some of you already know from the news or internet sites, there is a new virus on the web named Sasser. Sasser uses a security hole in Windows to infect your computer and to spread itself through the Internet to other computers.

Follow the steps below to make sure you don't get infected:

  1. Log in as Administrator on your computer

  2. Go to the WindowsUpdate site and apply any Critical Updates for your computer. (Open Internet Explorer, go to Tools->WindowsUpdate )

  3. Visit this Microsoft Site to scan your computer and remove the virus if you are infected. ( This is Step 3 on the page "Automatically Check for and Remove Sasser".)

    When you have successfully removed the virus (or were not infected) the web page will show you.

    As always, if you have any questions, please call the Computer Support Hotline at (515) 294-1725.

    Posted by at 11:14 AM
April 27, 2004
So your computer is infected...

If your computer has been infected by a virus, you should take the following steps:

  • Download and run Stinger
  • Update your anti-virus definitions (right-click V-Shield, Update Now)
  • Perform a full system scan (right-click V-Shield, VirusScan Console, Scan all Fixed Disks)

If a virus was found and removed, your computer should be clean. If nothing is found, either your computer was not infected, or the infection is interfering with VirusScan. Call the Extenion IT Support Hotline if you're unsure. (515-294-1725)

As always, the best way to avoid virus infection is DO NOT OPEN ATTACHMENTS unless you are expecting them and they are from a known source. Even if you are expecting something and it appears to be from a known source, be suspicious if the body of the message is not descriptive or contains cryptic messages. If you're unsure, contact the sender or Extension IT before opening the attachment.

Posted by dddugan at 09:00 AM
March 08, 2004
Yet another virus update

Over the last hour or so, many of you have probably been receiving messages that resemble this:

Here is the file

[icon] yourdocuments.pif

These are virus-laden attachments, do not open them.

I would expect that shortly the E500 virus detectors on the mail server on campus will start detecting these viruses and you'll receive some email messages with a subject that starts with 'Virus detected and cleaned' Following that VirusScan Enterprise 7 will be updated and you can right-click on the V-Shield, select 'Update Now' and then select 'On-Demand Scan' to be sure all the virus attachments have been deleted.

A couple of things to remember:

In most cases, you won't become infected if you haven't clicked on the attachment in the email. Only that attachment will contain the virus and once you've deleted that, you're finished.

There are a huge number of virus variation being produced and sent out 'into the wild' these days. The high volume means that we're even more likely to see viruses temporarily getting through the E-500 email virus protection and VirusScan.

Posted by dcoates at 03:53 PM
All Viruses, All the Time...W32.Sober.D@mm

W32/Sober.d@MM is yet another mass-mailing virus. It comes as an email attachment with either a .EXE or .ZIP extension. The email message itself (in either English or German) resembles the following:

(English version)
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

Protection:<

Please download this digitally signed attachment.

This Update includes the functionality of previously released patches.

+++

+++ One Microsoft Way, Redmond, Washington 98052

+++ Restricted Rights at 48 CFR 52.227-19 com

As always, don't open attachments you're not expecting. Microsoft has issued a statement that they will never ship patches in email; there will always be a link to any patch, and that link will point to an explanatory Web page rather than the patch itself.

Posted by dcoates at 01:50 PM
January 28, 2004
Update Now--VirusScan Enterprise 7

If you are running any version of VirusScan other than Enterprise 7, you need to update now.

IMPORTANT NOTE: VirusScan Enterprise 7 will not run on Windows 98 machines. If you are still running Windows 98, you need to update to Windows 2000 or Windows XP.

Instructions for installing VirusScan Enterprise 7 are available online. Alternately, you can find them by going to For Staff-- Technology Items--Anti-Virus Information.

VirusScan Enterprise 7.0.0 was provided to field offices on the Scout CD that was sent in the July 13, 2003 transmittal package. You can also install VirusScan Enterprise 7 by using Scout over the network, but in most county offices this download will take a half hour to an hour to complete.

When you install VirusScan Enterprise 7, it will set up a schedule for automatically updating your virus definitions. VirusScan 7 will scan incoming messages and scan files when accessed. It will generally not do a regular scan of your entire hard drive (since it's scanning files as they arrive and as they're accessed). However, you can scan your hard drive at any time by right-clicking on the VShield icon in the lower right-hand corner of your computer screen and selecting 'On-Demand Scan.'

You can also update your virus definitions at any time (in between scheduled updates) by right-clicking on the VShield icon and selecting 'Update now' from the menu.

If you don't know what version of VirusScan you currently have, you can right-click on the VShield icon and select 'About VirusScan' or 'About VirusScan Enterprise'. You should have VirusScan Enterprise 7.0.0 or higher.

If you are not currently running any version of VirusScan, you need to install it immediately following the online instructions and, once you've installed VirusScan, you will likely want to download and run the latest version of Stinger.

Links in this post:

Instructions for installing VirusScan Enterprise 7: http://www.extension.iastate.edu/Comp/virus/installing_virusscan.htm
Download Stinger: http://vil.nai.com/vil/stinger
For Staff Pages: http://www.extension.iastate.edu/ForStaff/homepage.html
Technology Items: http://www.extension.iastate.edu/Comp/
Anti-Virus Information: http://www.extension.iastate.edu/Comp/virus/

Posted by dcoates at 10:16 AM
January 20, 2004
Virus Alert: W32/Bagle@MM

W32/Bagle@MM is a mass-mailing worm. The worm arrives in an email message with the following characteristics:

From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

example:

frjujs.exe

When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes CALC.EXE and also copies itself as bbeagle.exe, and sets itself to load when you startup your machine. The worm uses your email address lists to send itself to others.

The virus spoofs the sender address (if you receive one, it's likely not sent by the address in the FROM: line).

You can tell if you're infected by going to Start--Search (or Find) and searching for a file called bbeagle.exe. If this file is on your computer, you're infected.

If you have not opened an attachment, you are not infected. If you get a mail message where the subject begins with "Virus Detected and Cleaned" the virus has already been removed from that message.

To remove the virus:

  1. Run Scout (over the network; do not use the Scout CD)
  2. Click on 'Configure'
  3. Select 'Advanced'
  4. Click on 'Done'
  5. Download 'McAfee Stinger'
  6. Setup of Stinger includes running it.
  7. When completed, go back into Scout, click on 'Configure'
  8. Select 'Current'
  9. Click on 'Done'

Some important notes about viruses

  • DON'T open attachments
    This is important NOT ONLY when the attachments are from people you don't know, but ALSO when they are from people you do know but are contained in suspicious-looking emails that you normally don't receive from these people.
  • If the body of the message (nonsense words, for instance) looks suspicious, EVEN IF it's from someone you know, check with that person first before opening the attachment.
  • DON'T EVER open attachments that have a .EXE extension unless you're explicitly expecting that specific file from that specific person.

For more information about the W32/Bagle@MM virus, check http://vil.nai.com/vil/content/v_100965.htm

Posted by dcoates at 10:49 AM
November 14, 2003
Virus Info: W32/Mimail.i@MM (Paypal)

Earlier this morning a new variant of the Mimail virus began circulating. For a short time the virus was not being caught by the campus antivirus filters, and several staff received infected attachments. Do not open these attachments; delete them from your system.

The mass-mailing virus arrives in a message with a subject such as "YOUR PAYPAL.COM ACCOUNT EXPIRES", and attempts to obtain credit card information via social engineering.

If you opened the attachment, you are infected and your computer is attempting to spread the virus. You should immediately clean your PC with NAI's Stinger utility.

After disinfecting, you should update VirusScan. To update, right-click the VirusScan shield in the lower right corner of your screen. Select 'Update now...'.

As always, you should not open any email attachments from people you do not know or are not expecting. In particular, do not open attachments with the extensions .pif, .scr, .vbs, or .exe.

More information on the W32/Mimail.i@MM (Paypal) virus can be found at NAI's web site:
http://vil.nai.com/vil/content/v_100822.htm

Posted by dddugan at 03:04 PM
September 11, 2003
Security Alert -- Windows RPC vulnerability (redux)

A serious security alert has been issued by Microsoft in response to the discovery of a new vulnerability in the Windows remote procedure call (RPC) service.

It is imperative to patch your machine now to protect the security and integrity of your computer and the Extension network. This vulerability is very similar to the one exploited by the "Blaster" and "Nachi" worms beginning about one month ago. While there is not yet any worm exploiting this issue, it is only a matter of time.

To download and install a security patch for your system, you will need to do the following:

1. Log in as Administrator. At the login prompt, type ‘Administrator’ rather than your regular log-in and use the administrator password rather than your regular password. When you log in, be sure to change ‘Log onto:’ from IASTATE to the computer name (which will be identified on a drop down list by ‘(this computer)’).

2. Download the Windows 2000 patch or the Windows XP patch. (if you don’t know which operating system you’re using, right-click on My Computer and select Properties). The patch will take about 10 to 15 minutes to download.

3. Double-click on the patch and follow the instructions it provides.

4. Reboot your computer and log back in with your own username and password (be sure to change ‘Log onto’ from ‘(this computer)’ to IASTATE.

If you know other people in your office with Windows 2000 and Windows XP machines, please make them aware of this patch and the need to update their computers.

If you have questions or problems applying the update, contact the Computer Support hotline at 515/294-1725.

Additional information from Microsoft regarding this vulnerability can be found at:

End-user MS03-039 - KB824146 security bulletin
Technical MS03-039 - KB824146 security bulletin

Links in this post:

Blaster information: http://vil.nai.com/vil/content/v_100547.htm
Nachi informatoin: http://vil.nai.com/vil/content/v_100559.htm

Windows 2000 Patch: http://www.extension.iastate.edu/mt/technews/extras/Windows2000-KB824146-x86-ENU.exe
Windows XP Patch: http://www.extension.iastate.edu/mt/technews/extras/WindowsXP-KB824146-x86-ENU.exe

End-user MS03-039 - KB824146 security bulletin:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp
Technical MS03-039 - KB824146 security bulletin:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

Posted by dddugan at 08:12 AM
August 19, 2003
More Virus News--Sobig virus

Update your VirusScan today to detect a new email virus.

To update, right-click on the VirusScan shield in the lower right-hand corner of your machine. If it says 'Update now...' in the menu, select that option. If it doesn't offer you that option, open the VirusScan Console, double-click on AutoUpdate and select 'Run Now' or 'Update Now.'

Once you've updated your computer, you can scan for viruses by either right-clicking on the VirusScan shield and selecting 'On Demand Scan...' or opening the VirusScan console and telling it to Scan My Computer or Scan C Drive.

Additional information:
There is a new email virus making the rounds called w32/Sobig.f@MM. Sobig.f spreads via e-mail and sends mail to people in the address book of the infected machine. It 'spoofs' the From: address in mail it sends, meaning that when you receive an infected message it is most likely not from the person it says it's from.

Do not open attachments in your email that you aren't expecting or are from people that you don't know. In particular, don't open attachments that have the extensions .pif, .scr, .vbs, .exe.

This virus is now being detected at the Iowa State mailhub, so infected email sent to you after approximately noon today should already have had the virus removed from them (you should see 'Virus Detected and Cleaned' in the email header).

Final Note: If your computer is currently infected with the virus, you may not be able to access the network--part of the unversity's defense against spreading the virus any further. You will need to contact the Computer Support Hotline for help cleaning and unblocking your machine (515/294-1725).

Posted by dcoates at 01:58 PM
More Blaster News--Eudora Symptoms

If you have the W32.Blaster.Worm on your computer, you may see the following issues with Eudora:

--Grayed out windows
--Inability to open mailboxes (you can see the mailboxes in the list of mailboxes, but they don't open when you click on them)
--Inability to copy/cut/paste
--Inability to Find/Search in Windows

You may also have the Blaster worm if you're having trouble getting to anything on the Internet or having trouble cutting and pasting in MS Word.

If you have the worm, you will need to install the patch, if you haven't already.

Once you've installed the patch, you'll need to run a program to clean the worm off your computer. McAffee provides a cleaning program called Stinger. Download this program and run it on your computer.

To install the patch and run Stinger, you'll need to be logged in on your computer as Administrator.

If you have one infected computer in your office, it's likely that others are also infected, since the worm spreads through the network very quickly.

Remember, when you are logged in as Administrator, don't open Eudora, print this message (if you've received this as a mail message) before you log in as Administrator.

Links in this post:

Install the patch: http://www.extension.iastate.edu/mt/technews/archives/000552.html
Download Stinger: http://vil.nai.com/vil/stinger/
McAfee main site: http://www.networkassociates.com/us/index.asp

Posted by dcoates at 08:51 AM
August 13, 2003
Windows 2000, Patches, and Service Packs

If you have Windows 2000 on your computer and you try to install the patch referred to in yesterday's TechNews security alert, you may have received a message indicating that you need to have 'at least Service Pack 2 installed' to apply the patch.

Service Pack 3 (which includes Service Pack 2 features as well) can be found on the newest Scout CD which was sent to field offices in the July 11, 2003 transmittal packet.

To apply the Service Pack, log in as Administrator. At the login prompt, type ‘Administrator’ rather than your regular log-in and use the administrator password rather than your regular password. When you log in, be sure to change ‘Log onto:’ from IASTATE to the computer name (which will be identified on a drop down list by ‘(this computer)’).

Insert the Scout CD in your CD drive. Double-click on My Computer. Double-click on the Scout CD. Double-Click on the folder called 'Other'. Double-click on the folder called 'Win2000 Sp3'. Double-click on W2KSP3.exe. Follow the instructions for installation.

Once you have installed Service Pack 3, you can continue with the instructions for installing the security patch

If you have questions or problems, contact the Computer Support hotline at 515/294-1725.

Posted by dcoates at 08:34 AM
August 12, 2003
Security Alert--Windows RPC vulnerability

A serious security alert has been issued on a vulnerability in Windows and it is important to take the following steps now to prevent serious consequences to your machine and the Extension network.

A new fast spreading worm called BLASTER has been labeled a security threat for Windows 2000 and XP machines. The worm exploits a security vulnerability in the Windows DCOM RPC interface and, once installed, searches for other machines on the network to infect, compromising vulnerable machines and overloading networks.

To download and install a security patch for your system, you will need to do the following:

1. Log in as Administrator. At the login prompt, type ‘Administrator’ rather than your regular log-in and use the administrator password rather than your regular password. When you log in, be sure to change ‘Log onto:’ from IASTATE to the computer name (which will be identified on a drop down list by ‘(this computer)’).

2. Download the Windows 2000 patch or the Windows XP patch. (if you don’t know which operating system you’re using, right-click on My Computer and select Properties). The patch will take about 10 to 15 minutes to download.

3. Double-click on the patch and follow any instructions it provides.

4. Reboot your computer and log back in with your own username and password (be sure to change ‘Log onto’ from ‘(this computer)’ to IASTATE.

If you know other people in your office with Windows 2000 and Windows XP machines, please make them aware of this patch and the need to update their computers.

If you have questions or problems applying the update, contact the Computer Support hotline at 515/294-1725.

Additional information about this worm can be found at:

McAfee/Avert
Symantec
Microsoft Security Alert

Posted by dcoates at 01:47 PM
December 17, 2002
Updating VirusScan

The new Scout CD contains updates for VirusScan and for the VirusScan data file (VirusScan Updater 4160/4229 Updater). If you are currently running VirusScan and it's set to AutoUpdate regularly, you do NOT need to install VirusScan or the Updater from the Scout CD.

Producing the Scout CD, making copies, and mailing them to you takes a couple of weeks time. By the time it gets to you, your VirusScan on your computer may be more recent than the data on the Scout CD. The Scout CD is useful if, for some reason you need to uninstall and reinstall VirusScan, if your machine has NOT been regularly updating your VirusScan program, and if you are setting up a new computer.

To check AutoUpdate in VirusScan:

--Double-click on the VirusScan Console (the icon that looks like a magnifying glass) in the lower right-hand corner of your screen
--Under AutoUpdate, the column entitled 'Last Run' should tell you when AutoUpdate was last run on your machine and whether it was successful
--If the 'Last Run' date was not within the last week, double-click on AutoUpdate
--Click on Schedule
--Select Enable, Daily. Ensure each of Monday through Sunday are checked. Click 'OK'

Posted by dcoates at 09:41 AM
September 27, 2002
VirusScan Hotfix for Windows 98

MacAfee has released a hotfix for VirusScan for Windows 98 systems. If you're using VirusScan on a Windows 98 (or Windows 95) system, you should apply this hotfix immediately.

A Windows 98 machine with an up-to-date version of VirusScan (without the hotfix) may produce any or all of the following symptoms:

--Blue Screens
--Excessive machine slowdown
--Clock time loss
--Jerky mouse cursor movements
--'Stuttering' sound cards

The hotfix, 4160 Engine Hotfix 1 to VirusScan, is available through Scout. To access, go to Start-->Programs-->Scout

The button labeled "VirusScan 4160 Hotfix 1" will only show up if you run Scout from a Windows 98 machine, not a Windows 2000 machine. When you run Scout, do not insert the Scout CD you received in June, 2002 as the Hotfix is not a part of that CD. It can currently only be accessed via network connection.

If you have questions about applying this hotfix, you can contact the Extension Support line at 515/294-1725.

Posted by dcoates at 02:16 PM
September 17, 2002
Don't Delete that File!

Have you recently received an email message that started something like this:

I was just sent a message from someone who had our e-mail address in their address book. They had gotten a virus which is undectable by Norton and McAfee Anti-Virus programs and lies dormant for 14 days before damaging the system. Since this virus is transmitted automatically by messenger, then my adress book was also infected and so, probably, is yours, whether or not you send e-mails. The virus is called jdbgmgr.exe.

The message continues, telling you to look for this file, jdbgmgr.exe and delete it.

If you get this message, DO NOT delete that file. This is a hoax message, not a real virus. For more information, check:

http://vil.nai.com/vil/content/v_99436.htm
http://www.datafellows.com/hoaxes/jdbgmgr.shtml
http://securityresponse.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

More information on Virus Hoaxes in general can be found at:

http://www.extension.iastate.edu/mt/technews/archives/000212.html

If you already deleted the file: This is not a critical system file. Your computer will likely continue to operate normally. Some Java applets found on some web pages may not function correctly, but they will not cause damage. If you experience problems which you suspect might be caused by having deleted this file, please contact the Extension IT Support Hotline (515-294-1725).

Posted by dcoates at 08:46 AM
August 16, 2002
Virus Detected and Cleaned

As mentioned in the April, 2002 issue of the CECS newsletter, Click-ON, ISU has installed a system that auto-scans incoming email for known viruses.

When a virus is detected, the system cleans it if possible and inserts 'Virus detected and cleaned' in the Subject of the mail message.

For example:

Virus detected and cleaned; was: W32.Elkern removal tools

When you see a message with this subject it means that someone tried to send you a virus, but it was detected and deleted before it got to your computer. Because of the nature of some current viruses, you may or may not be able to tell who sent you the infected email and the person the email is from may or may not be someone you've ever heard of.

Even with this additional virus scanning, you still need to have up-to-date VirusScan software running on your desktop.

Posted by dcoates at 10:42 AM
August 07, 2002
Just Kidding!

How can you tell if a virus warning you received is the real thing or just a hoax?

The three general characteristics of a virus hoax are that it:

--warns of catastrophic damages to your system
--invokes the authority of a large company that doesn't usually send virus warnings (ex: IBM, AOL, Microsoft)
--urges you to send the warning far and wide

The following are good sites to check for more information:

http://www.f-secure.com/virus-info/hoax
http://vil.nai.com/VIL/hoaxes.asp
http://securityresponse.symantec.com/avcenter/hoax.html

If you receive a virus warning and you're not sure whether it's a hoax or the real thing, you can also email us at eit@iastate.edu for help.

Posted by dcoates at 09:29 AM
July 24, 2002
Is your anti-virus software up to date?

Here's how you can check:

On the lower right-hand corner of your screen, you should see (among other icons) a V-Shield (a shield with a 'V' on it) and a magnifying glass. Right-click (click with the right mouse button) and select 'About' from the menu.

If the 'Created on' date is more than a week or two old, you need to update your virus scanner and set (or reset) an auto-update schedule.

If you don't see a V-shield or a magnifying glass icon you defintely need to reinstall your anti-virus software and make sure that it is running and updating regularly.

Detailed instructions can be found at:

Viruses and Anti-virus software on the
ISU Extension Information Technology web page.

Posted by dcoates at 08:28 AM