RE: [info-tech] New virus
Lance that is why I am now Mac support in our network (oh wait we took out our only mac). Makes my life easier! Thanks! Jon W. Hueser- MSE, Ed. S MS/HS Principal Technology Director East Greene CSD 405 12th Street South Grand Junction, IA 50107 515-738-2411 x241 Fax: 515-738-5719 From: Lance Lennon llen...@eagle-grove.k12.ia.us Sent: Friday, January 09, 2009 9:05 PM To: info-tech@aea8.k12.ia.us Subject: RE: [info-tech] New virus I am so sorry that you had to spend that amount of time fighting something. I totally know the feeling...oh wait no I don't. blah blah blah Happy New Year Ours actually had 2 d's. It is msddll.exe, but there is also a msdll.exe out there as well. It appears to shut down the ability to launch a web browser. Didn't matter if it was IE6, IE7 or FireFox. Also, it prevents your security agent service from running. As Jon said, their virus programmers worked live with me and anybody running LightSpeed should have the update pushed out tonight. Another irritating thing about this virus is that we'll have to go around and stop the msddll service from running on the machines that have already been infected and then run the security agent to remove the virus, followed up with a little registry work: Navigate in REGEDIT to the following key and delete it after disabling the service. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll Still waiting on a response for how we obtained this little treat before the end of the semester or if they can tell which user it may have come through (probably our principal!) Craig Rowedder Technology Support Technician Asst. Football Track Coach Jefferson-Scranton Comm. Schools East Greene Comm. Schools From: info-tech-ow...@aea8.k12.ia.us [mailto:info-tech-ow...@aea8.k12.ia.us] On Behalf Of JON HUESER Sent: Friday, January 09, 2009 7:33 PM To: info-tech@aea8.k12.ia.us Subject: [info-tech] New virus We just spent 5 days fighting a new virus in our network and craig spent the evening working with lightspeed to get a signature of it. Lightspeed will up it in a new update that will come out by 8:00 tonight. If you have a windows machine and it works fine but you can't get internet to work, look in the services and see if a msdll.exe is running. If it is, it is a new virus that came out around January 1st. We also found it it stops anti-virus programs from running. You have to disable the msdll.exe service then you can stop it from running in the task manager. Talk to your anti-virus people to figure out how to remove it if they don't have it as a signature yet. Just giving everybody a heads up, don't tell me that Macs won't have that problem, blah, blah, blah! Just glad we found it after fighting with my network for 5 days at the end of the semester so teachers couldn't get grades updated. Thanks! Jon W. Hueser- MSE, Ed. S MS/HS Principal Technology Director East Greene CSD 405 12th Street South Grand Junction, IA 50107 515-738-2411 x241 Fax: 515-738-5719 --- [This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] - Archived messages from this list can be found at: http://www.mail-archive.com/info-tech@aea8.k12.ia.us/ -
[info-tech] New virus
We just spent 5 days fighting a new virus in our network and craig spent the evening working with lightspeed to get a signature of it. Lightspeed will up it in a new update that will come out by 8:00 tonight. If you have a windows machine and it works fine but you can't get internet to work, look in the services and see if a msdll.exe is running. If it is, it is a new virus that came out around January 1st. We also found it it stops anti-virus programs from running. You have to disable the msdll.exe service then you can stop it from running in the task manager. Talk to your anti-virus people to figure out how to remove it if they don't have it as a signature yet. Just giving everybody a heads up, don't tell me that Macs won't have that problem, blah, blah, blah! Just glad we found it after fighting with my network for 5 days at the end of the semester so teachers couldn't get grades updated. Thanks! Jon W. Hueser- MSE, Ed. S MS/HS Principal Technology Director East Greene CSD 405 12th Street South Grand Junction, IA 50107 515-738-2411 x241 Fax: 515-738-5719
[info-tech] New Virus - Bagle-A
I wanted to let everyone know that there is a new virus popping up everywhere called Bagle-A. Ive had a school get hit already and our IMail server has caught over 100 emails infected with the Bagle-A virus last night. The message body looks like this: - Test =) ptwdjlbxgryqxvhw -- Test, yep. - Then there is an EXE file with a random name that has an icon of the Windows Calculator. Once the user opens up the file it installs the worm and sends itself out using the users address book. It also installs a Trojan that listens on port 6777 for any activity. Please make sure your anti-virus is up-to-date. I have seen over a hundred of these infected files come from the ia.us domain. Also, it looks like this is the first variation of the virus and there will be more to come. YOU HAVE BEEN WARNED!!! Here is the link to Sophoss write up on the virus. http://www.sophos.com/virusinfo/analyses/w32baglea.html If you find an infected machine, there is a removal tool and instructions at http://www.sophos.com/support/disinfection/baglea.html Below is a news blurb I came across about the virus. New worm draws Sobig comparisons Last modified: January 19, 2004, 8:10 AM PST By Andrew Colley Staff Writer, CNET News.com Computer security experts fear a new worm that began spreading rapidly across Australian e-mail networks on Sunday could be a rehearsal for a more concerted attack in coming weeks. The worm--dubbed Bagle-A--carries an expiry date, possibly indicating more robust versions of the worm could be slated for release soon, said Daniel Zatz, security director for Computer Associates Australia. Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. While Bagle-A is already successful--responsible for an 80 percent increase in queries to CA's help desk and in virus submissions to rival computer security company Sophos--the current version of the worm contains bugs, Zatz said. Comparing Bagle to the infamous Sobig virus that flooded global e-mail networks last year, Zatz fears that a more virulent version of new worm could appear soon. One of our biggest concern is that if we look back a year ago at the Sobig variants, they all had drop-dead dates, and every time one hit that drop dead date a new variant came out; a new and improved variant of it, Zatz said. Bagle-A is due to expire Jan. 28, suggesting tuned variations of the worm could appear as early next week. Bagle-A's creators, like authors of many previous successful worms, have relied on the ignorance and curiosity of e-mail users for the worm's success. The worm arrives in e-mail inboxes as a message containing few lines of text suggesting the e-mail may be from system administrator, as well as an executable attachment. When the attachment is activated by its receiver the worm then installs a program on the recipient computer that allows the worm to be e-mailed on to other users in the system's local address book. Special report A 20-year plague Decades after creation, viruses defy cure. The worm also attempts to install a backdoor or Trojan on infected machines, listening for activity on port on 6777. Sean Richmond, support manager with anti-virus software vendor Sophos Australia and New Zealand, said the company was still examining the Trojan to see what else it was capable of. Given that most corporate email servers block transmission of executable attachments, CA's Zatz believes that home and medium-sized enterprise users are responsible for spreading the new worm. Another possible factor in the worm's success, Zatz said, was the fact the worm's creators programmed the worm to e-mail itself to handful of popular domains to evade swift detection by dominant Web enterprises such as Hotmail, MSN and a large Russian computer security agency. Users who suspect their computers may be infected with the virus should look for a file called bbeagle.exe in their Windows System directory. The file disguises itself with Microsoft familiar calculator icon. Jason Kehoe Network Engineer Prairie Lakes AEA 8 (515) 574-5477 (800) 669-2325 x5477 [EMAIL PROTECTED] image008.gifimage007.gifimage006.gifimage005.gifimage004.gif
RE: [info-tech] New Virus - Bagle-A
Jason Several of our staff members have received this. - They are using Macs and so I assume we are ok. - Anything I need to do to make sure?!?!? Thanks! Caroline -- From: Jason Kehoe Reply To: [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: [info-tech] New Virus - Bagle-A I wanted to let everyone know that there is a new virus popping up everywhere called Bagle-A. I've had a school get hit already and our IMail server has caught over 100 emails infected with the Bagle-A virus last night. The message body looks like this: - Test =) ptwdjlbxgryqxvhw -- Test, yep. - Then there is an EXE file with a random name that has an icon of the Windows Calculator. Once the user opens up the file it installs the worm and sends itself out using the users address book. It also installs a Trojan that listens on port 6777 for any activity. Please make sure your anti-virus is up-to-date. I have seen over a hundred of these infected files come from the ia.us domain. Also, it looks like this is the first variation of the virus and there will be more to come. YOU HAVE BEEN WARNED!!! Here is the link to Sophos's write up on the virus. http://www.sophos.com/virusinfo/analyses/w32baglea.html If you find an infected machine, there is a removal tool and instructions at http://www.sophos.com/support/disinfection/baglea.html Below is a news blurb I came across about the virus. New worm draws Sobig comparisons Last modified: January 19, 2004, 8:10 AM PST By Andrew Colley Staff Writer, CNET News.com Computer security experts fear a new worm that began spreading rapidly across Australian e-mail networks on Sunday could be a rehearsal for a more concerted attack in coming weeks. The worm--dubbed Bagle-A--carries an expiry date, possibly indicating more robust versions of the worm could be slated for release soon, said Daniel Zatz, security director for Computer Associates Australia. File: image004.gif File: image005.gif File: image006.gif File: image007.gif Get Up to Speed on... Enterprise securityFile: image008.gif Get the latest headlines and company-specific news in our expanded GUTS section. While Bagle-A is already successful--responsible for an 80 percent increase in queries to CA's help desk and in virus submissions to rival computer security company Sophos--the current version of the worm contains bugs, Zatz said. Comparing Bagle to the infamous Sobig virus that flooded global e-mail networks last year, Zatz fears that a more virulent version of new worm could appear soon. One of our biggest concern is that if we look back a year ago at the Sobig variants, they all had drop-dead dates, and every time one hit that drop dead date a new variant came out; a new and improved variant of it, Zatz said. Bagle-A is due to expire Jan. 28, suggesting tuned variations of the worm could appear as early next week. Bagle-A's creators, like authors of many previous successful worms, have relied on the ignorance and curiosity of e-mail users for the worm's success. The worm arrives in e-mail inboxes as a message containing few lines of text suggesting the e-mail may be from system administrator, as well as an executable attachment. When the attachment is activated by its receiver the worm then installs a program on the recipient computer that allows the worm to be e-mailed on to other users in the system's local address book. Special report A 20-year plague Decades after creation, viruses defy cure. The worm also attempts to install a backdoor or Trojan on infected machines, listening for activity on port on 6777. Sean Richmond, support manager with anti-virus software vendor Sophos Australia and New Zealand, said the company was still examining the Trojan to see what else it was capable of. Given that most corporate email servers block transmission of executable attachments, CA's Zatz believes that home and medium-sized enterprise users are responsible for spreading the new worm. Another possible factor in the worm's success, Zatz said, was the fact the worm's creators programmed the worm to e-mail itself to handful of popular domains to evade swift detection by dominant Web enterprises such as Hotmail, MSN and a large Russian computer security agency. Users who suspect their computers may be infected with the virus should look for a file called bbeagle.exe in their Windows System directory. The file disguises itself with Microsoft familiar calculator icon. Jason Kehoe