Self-Help Links

• Gaming
• Connection Problems
• User Guides
• Calendar
• Stay Safe Online!
• ResNet Recycles

More Links

• EKU Direct
• EKU E-Mail
• Blackboard
• 1 GB W: Drive
• Anti-spam Solution

Stay Connected

• ResNet on Twitter
• ResNet on Facebook
• RSS Feed
• ResNetTV
• ResNet Blog
  

Tip

Do you surf the Internet without using a firewall program? There are alot of programs you can use, for example, ZoneAlarm is free for personal use. These programs must be trained with what may or may not access your computer (programs, websites, etc.) but can be extremely helpful in the fight against malware and viruses.

Virus Alerts

BEWARE OF HOLIDAY SPAM AND PHISHING THAT SOMETIMES INCLUDES VIRUSES AND OTHER MALWARE!

10 Ways to Recognize Fake (Spoof) Emails

December 10, 2008
FROM: EKU

Legitimate companies (for- and non-profits) don't ask for your personal/financial information (e.g., passwords, bank account/credit card information, Social Security numbers, etc.) via email. Also, never trust unsolicited contacts via emails, links, files, or over the telephone.

• Generic greetings. Many spoof emails begin with a general generic greeting, such as "Dear Company member." If you do not see your first and last name, be suspicious and do not click on any links or buttons or hit reply.
• A fake sender's address. A spoof email may include a forged email address in the "From" field. This field is easily altered.
• A false sense of urgency. Many spoof emails try to deceive you with the threat that your account is in jeopardy if you don't update ASAP. They may also state that an unauthorized transaction has recently occurred on your account, or claim they are updating accounts and need your information fast.
• Fake links. Always check where a link is going before you click. Move your mouse over it and look at the URL in the browser or email status bar. A fraudulent link is dangerous. If you click on one, it could: (a) direct you to a spoof website that tries to collect your data; (b) install spyware on your system so that hackers can monitor your actions and steal passwords or credit card numbers you type online; and/or (c) cause you to download a virus that could disable your computer.
• Emails that appear to be websites. Some emails will look like a website in order to get you to enter personal information. Legitimate companies never ask for your personal/account information in an email.
• Deceptive URLs. If you see an @ sign in the middle of a URL, there's a good change this is a spoof. Legitimate companies use a domain name (e.g., https://www.company.com). Even if the URL contains the name of the company somewhere in it, it may not be a real site. Examples of deceptive URLs include: www.ebaysecure.com or www.paypa1.com or www.secure-paypal.com, or www.ebaypalnet.com. Always login to a company's site by opening a new brower window and typing the address you know. And NEVER login into a site from a link in an email.
• Misspellings and bad grammar. Spoof emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes also help fraudsters avoid spam filters.
• Unsafe sites. The term "https" should always proceed a website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter information.
• Pop-up boxes. Legitimate companies will never use pop-ups as they are not secure.
• Attachments. Like fake emails and links, attachments are frequently used in spoof emails and are dangerous. Never click on an attachment if you are unsure of its origin. It could cause you to download spyware or a virus.

Your Edu. Account Confirmation

October 13, 2008
FROM: EKU
Over the weekend there has been a new phishing email sent to students with this as the typical body:

Attn. Edu Webmail Users,

We regret to announce to you that we will be making some vital maintainance on our {Edu} website. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification.

To confirm and to keep your account active during and after this process, please reply to this message with the below account informations. Failure to do this might cause a permanent deactivation of your user account from our database to enable us create more spaces for new users.

YOUR EDU. ACCOUNT CONFIRMATION

Name:
E-mail ID:
E-mail Password:
Date of birth:
Your account shall remain active after you have successfully confirmed your account details.

Thanks for bearing with us.

EDU. WEBMAIL TEAM

Warning Code: 002671

DO NOT REPLY TO THESE EMAILS. THEY ARE PHISHING FOR YOUR PERSONAL INFORMATION SO THEY CAN USE YOUR ACCOUNT TO SPAM OTHERS. EKU NOR ANY OTHER LEGITIMATE ORGANIZATION WILL ASK FOR YOUR PERSONAL INFORMATION IN AN EMAIL.

>>Phishing Attackes on EKU Email Accounts

FROM: EKU
TYPE: Phishing
If you receive ANY emails supposedly from EKU asking for your account information OR ELSE, disregard them immediately! This is considered Phishing SPAM and it tries to exploit services by obtaining users' credentials. NOTE: IT, nor any other reputable business/organization, will NEVER ask for your password through e-mail for the services they provide.

Please use your antispam filter and should you fall victim to an EKU email phishing scam, change your password immediately online here!

>>Phishing Attacks on PayPal Users

FROM: US-CERT
TYPE: Phishing
The attack arrives via an unsolicited email message containing an HTML attachment. The message indicates that the attachment is a verification form intended to offer the user protection from fraudulent activity. Users who open the attachment are instructed to enter their email address and PayPal password. The information is then sent to an attacker.

>>"Final Verification of Your Email Account" and "WebNews Email Account Update" Phishing Schemes

There is another phishing email spreading through EKU email accounts that you should be aware of. The Subject line is: FINAL VERIFICATION OF YOUR EMAIL ACCOUNT. DO NOT click on anything or reply to this message! Delete it immediately. If, on the other hand, you have replied, change your email password immediately by logging into your account and clicking the "Options" button.

NOTE: As of Monday morning we have yet another scam with the subject line: "WebNews Email Account Update." This is also phishing so ignore and delete it.

>>WORM_NUWAR.AR

FROM: TrendMicro
Type: Worm
Affected Systems: Windows 98, ME, NT, 2000, XP, Server 2003
This work arrives attached to email messages spammed by another malware or a malicious user.

>>Bloodhound.Exploit.175

FROM: Symantec
Type: Trojan, Worm
Affected Systems:Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Bloodhound.Exploit.175 is a heuristic detection for HTML files attempting to exploit the Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Arbitrary Command Execution Vulnerability

>>Bloodhound.Exploit.172

FROM: Symantec
Type: Trojan, Worm
Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Bloodhound.Exploit.172 is a heuristic detection for Microsoft Word files attempting to exploit the Microsoft Word Unspecified Memory Corruption Remote Code Execution Vulnerability

>>Trj.Romeo.C

FROM: Panda Security
TYPE: Trojan
Affected Systems: Windows 2003/XP/2000/NT/ME/98/95
A trojan that spreads via floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing, etc. by user interaction. It does not spread automatically by its own means. It modifies the Windows Registry, which prevents the computer from working properly. It disables several functions of the Start menu, such as Search, and applications such as the Task Manager. It disables functionalities such as Turn off or Log off and System Restore.

>>W32/Valentin.E.worm

FROM: Panda Security
TYPE: Worm
A worm that reaches the computer in a file attached to an email message with a variable subject line. When it is run, it displays several messages with the text Ur My Best Friend on the screen. It then gathers information about your computer and it ends processes belonging to security tools
Systems affected: Windows 2003/XP/2000/NT/ME/98/95/3.X

>>OSX.RSplug.A

FROM: Intego
TYPE: Trojan Horse
A trojan horse found on several porn web sites, claiming to install a video codec necessary to view free porn videos on Macs. It changes the DNS settings on the comprised computer.
Systems affected: OSX

>>W32.Googbot@mm

FROM: Symantec
TYPE: Worm
A mass-mailing worm that also spreads by exploiting certain vulnerabilities. It also opens a back door on the comprised computer.
Systems affected: Windows 2000, Windows Vista, Windows XP, Windows 98, Me, NT

>>MSNHorn.A.worm

FROM: Panda Security
TYPE: Worm
A worm that sends messages to all the contact the user has in MSN Messenger to infect them.

>>Nugache.M

FROM: Panda Security
TYPE: Worm
It acts as a keylogger, it connects to a server waiting for hacker's instructions and desactivates the firewall of the TCP 1061 port. It spreads via E-mail, AOL Instant Messenger (AIM), AOL Mail and MSN Messenger.

>>Infostealer.Monstres

FROM: Symantec
TYPE: Trojan
A trojan horse that may steal sensitive information from the compromised computer and targets Monster.com users when they post data online.

>>W32.Svich

FROM: Symantec
TYPE: Worm
A worm that spreads through Yahoo! Messenger and by copying itself to all drives. It also downloads potentially malicious files and lowers security settings on the compromised computer.

>>W32/Checkout!12945F6

From: McAfee
TYPE: Worm
An Internet worm that can be spread through MSN Messenger.

>>Cheburgen.a

From: SANS
TYPE: Worm
A worm that spreads via email attachments and drive-by-download (download of spyware through exploitation of a web browser, email client or operating system bug, without any user intervention), as well as by scanning local networks for Windows systems with an unpatched vulneravility dating back to August 2004.

>>Backdoor.Robofo

From: Symantec
TYPE: Trojan
A trojan that spreads via an attachment to phishing emails appearing to be from the IRS. It opens a backdoor on your computer and steals sensitive information by disabling the Windows firewall, logging your keystrokes, and taking screenshots.

>>Gozi Trojan

From: SANS
TYPE: Trojan
Nastier version of Gozi Trojan on the loose

>>Nurech.A

From: Panda Software
Type: Worm
How spread: Email--Exploiting Valentines Day Messages!!
This is a rapidly spreading worm that is infecting hundreds of computers. It is designed to propagate rapidly via email and uses messages with a wide range of subject fields. It also terminates the processes of several security tools and uses rootkit functions to hide itself.

>>Trojan.Peacomm and W32.Storm.Worm

From: US-Cert and Symantec
Type: Trojan
How spread: Email and networks
Systems affected: Windows 2000, XP, 98, Me, NT
Symantec Site for Trojan.Peacomm
Symantec Site for W32.Storm.Worm

US-CERT is aware of a second variant of the Small Trojan that is known as Storm Worm. Similar to the first variant, this one is also a mass-mailer that uses social engineering and network shares to propagate. The Storm Worm variant creates a peer-to-peer network that operates on port 7871/UDP, while the previously reported variant, known as Small.DAM or Trojan.Peacomm, operates on port 4000/UDP.

The Small Trojan variants arrive as an email attachment and also propagate through network file shares. These Trojan variants drop two files upon execution, one of which may contain rootkit functionality. These Trojan variants also create a back door that may be used to harvest sensitive data or launch a spam attack.

Subject lines can change at any time, but the following are currently being used by these Trojans:

230 dead as storm batters Europe
A killer at 11, he's free at 21 and...
British Muslims Genocide
Naked teens attack home director
U.S. Secretary of State Condoleezza...
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Russian missle shot down USA satellite
Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!
Radical Muslim drinking enemies' blood

File names can also change at any time, but the following are currently being used:

Full Clip.exe
Full Story.exe
Full Video.exe
Full Text.exe
Full Story.exe
Read More.exe
Video.exe

>>Banbra.DMW

From: Panda Software
Type: Trojan
How spread: Web
Systems affected: Windows XP/2000/NT/Me/98/95
This trojan obtains data from a certain Brazilian banking entity, as when users access the corresponding websites, it displays a false website that imitates the legitimate one instead. It does not spread automatically by its own means.

>>W32.Pintae.A@mm

From: Symantec
Type: Worm
How spread: Email; network shares
Systems affected: Windows 2000, 98, Me, NT, 2003, XP
This is a mass-mailing worm that also spreads through network shares.

>>Infostealer.Huaxiat

From Symantec
Type: Trojan Horse
How spread: Online
Systems affected: Windows 2000, 98, Me, NT, 2003, XP
This steals passwords to the Chinese online game "Huaxia II Online."

>>Troj_Small.Fad

From TrendMicro
Type: Trojan
How spread: Spammed via email; downlowded; with other malware
Systems affected: Windows 98, ME, NT, 2000, XP, Server 2003
This trojan arives either downloaded from the Internet or dropped from other malware or as an attachment in email.

>>W32.Wikedir@mm

From Symantec
Type: Worm
How sperad: Email and file sharing networks (i.e., Limewire).
Systems affected: Windows XP/2000/2003/NT/Me/98/95
This worm installs a copy of Backdoor.Evilbot on the compromised computer.

>>W32.Licat Worm

From Spywareguide
Type: Worm
How spread: The link looks like a website or jpg, usually propogates via IM, but may be web based in some variants. Once you click the link, the work will be downloaded to your computer and attack MSN messenger replacing it with another file. The worm will send itself to all contacts on target's MSN list, and then download and install numerous malware and spyware applications--notably dollar revenue.

>>W32/Cuebot-N

From Sophos
Type: Worm
How spread: Chat programs (i.e., Yahoo Messenger, MSN)
It is a worm and backdoor Trojan for the Windows platform that spreads to computers vulnerable to the Server Service exploit. Apply this patch to protect yourself!

>>W32/Spybot-MQ

From Sophos
Type: Worm
How spread: Chat programs (i.e., AIM)
It is a worm and backdoor Trojan for the Windows platform that spreads through network shares and MSSQL servers protected by weak passwords and instant messenger programs such as Yahoo Messenger and MSN. It runs continually in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Removal Instructions.

>> Botnet on Campus! -- September 12, 2006

A botnet is a group of computers (although their owners are unaware of it) that have been set up to forward transmissions (including spam and viruses) to other computer on the Internet. They are a "zombie" and being used by a master spammer or virus originator. One was located on campus working on the campus and ResNet sides of the network!

JS.Yamanner@m

JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo! Mail service to send a copy of itself to other Yahoo! Mail contacts. [Symantec Fix Page]