> Also, there was apparently an unrelated virus problem on Friday. I don't
> know the details, but it had something to do with an e-mail message being
> sent around advertizing a patch for MUNet.
Ok, I can help explain the second virus problem a little bit, because a
friend of mine down the hall received it. He got an email from
"[log in to unmask]" that contained an attachment purporting to be a patch
for the MUNet software. Well, his virus-scanning software picked up that
it was actually just Back Orifice, so he told me & I believe sent an
email to the real MCIS. This was their reply: (great big cut & paste
follows :)
Return-path: <[log in to unmask]>
>Date: Fri, 02 Apr 1999 19:04:58 -0500
>From: Debra Allison <[log in to unmask]>
>Subject: ALERT: You have received bogus and malicious email
>X-Sender: [log in to unmask]
>To: [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask], [log in to unmask],
> [log in to unmask], [log in to unmask]
>
>Earlier today, 04/02/1999, probably between 3PM and 4PM, an email message
>was sent to you purporting to be from MCIS, with instructions to upgrade
>your MUnet software with the attached executable. THIS IS A FALSE AND
>MALICIOUS MESSAGE and was not sent by MCIS; it is not known at this time
>who sent this message, but we are searching for the individual(s) who did.
>The text of the the email message that was sent is detailed at the bottom
>of this message, for your information.
>
>The message that was sent to you contains an attachment that is named:
>MUNETPATCH.EXE This attachment is a virulent trojan horse that is a
>version of Back Orifice; this trojan horse, if installed on your machine,
>will make changes to your Windows registry and install a file in your
>Windows system folder that will then allow your computer to be taken over
>by others. Recent versions of our anti-virus protection software, WinGuard
>from Dr. Solomon, detect this trojan horse and protect your system from
>this infection. Macintosh computers are not at risk from this trojan horse
>and users of these systems need take no further action.
>
>If you DO NOT have up-to-date virus protection installed on your system AND
>you have executed (double-clicked) the attachment, you should disconnect
>your machine from the network and call the MCIS Help Desk at 529-7900 for
>instructions on how to disinfect your machine.
>
>If you DO NOT have virus protection installed on your system AND you have
>NOT executed (double-clicked) the attachment, you can use Windows Explorer
>to navigate to C:\MUNET\COMMAPPS\EUDORA\ATTACH and delete it, then empty
>the Recycle bin.
>
>If you do have antivirus protection installed and your software has
>detected the trojan horse, your system is not infected but you should
>follow the instructions below to remove the file from your system. These
>instructions will take you out of Windows and the reach of your antivirus
>software because Dr. Solomon will not allow you to manipulate the file,
>since Dr. Solomon knows that it contains a trojan horse.
>
>1. From the Start button, choose Shut Down, then Restart the computer in
>MS_DOS mode.
>Your computer will restart and you will be placed at the C:\WINDOWS prompt.
>
>2. Type in: CD \MUNET\COMMAPPS\EUDORA\ATTACH and hit the ENTER key (if
>your Eudora ATTACH folder is in some other place, you will need to
>substitute the path for your folder).
>
>3. To delete the file, type in: DEL MUNETP*.EXE and hit the ENTER key.
>The file will be deleted and you can safely restart your computer.
>
>If you have any questions about any of these instructions or about this
>incident, please contact the MCIS HelpDesk at 529-7900. If you need
>instructions on how to install or update your virus protection software,
>these instructions can be found at the following url:
>http://WWW.MUOhio.Edu/novell/Software/Install.html#Upgrading
>
>
>For those who want more information about the Back Orifice program, the
>following url has useful information: http://www.nwi.net/~pchelp/bo/bo.html
>
>If you have any information that would lead to identification of the person
>or persons who have perpetrated this, please contact Public Safety at
>529-2222.
>
>
>**** Text of malicious message starts here ****
>
>Attention MUNet user. Miami has issued a patch for the MUNet software package
>for Windows 95 and Windows NT users. Please run the attatched program on
>your computer to upgrade the MUNet package. Mac users, computer lab users,
>and those who have not installed MUNet on their PC may ignore this message.
>
>The upgrader ("MUNETPATCH.EXE") makes minor changes to fix bugs in the MUNet
>package. When you run MUNETPATCH.EXE it will automatically make the
>appropriate fixes.
>
>Thank you!
>
>
>**** End of message text ****
>
>********************************************
>Debi Allison
>Assistant Director for Client Services
>Miami Computing & Information Services
>Miami University
>302 Hoyt Hall
>Oxford, OH 45056
>(513) 529-5327 (voice)
>(513) 529-1496 (fax)
>mailto:[log in to unmask]
>
>"A good team is a collection of diverse people who respect each other and
>are committed to each other's success." Harvey Mackay
>********************************************
>
|