Security Bulletin Summary February 3, 2006

Windows Security Advisory
Overview
Who is Affected

Recommended Actions

Administrative Users
Academic PC Users
All Home PC Users
Academic Mac Users

Further Assistance

Other Bulletins

ADMINISTRATIVE Staff: If you use a computer at HOME, please read on.

STUDENTS, FACULTY, ADMINISTRATIVE STAFF, ACADEMIC STAFF AND ALL HOME USERS must follow the recommendations below.

I. OVERVIEW

This bulletin is to alert you to the existence of a mass mailing virus or worm (often referred to as malware) variant named Win32/Mywife.E@mm, which you may have heard about recently. This mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book and will delete certain user created files. The malware may also spread over writable network shares on systems that have blank administrator passwords.

If you are using the most recent and updated antivirus software that we provide to you (McAffee version 7.1), which automatically checks for and installs updated definitions, you will be protected from infection. Students who got connected to the haverford network through the connect site upon their return to campus this semester would have had to verify that their virus definitions were up to date, and will be protected from this threat.

Unfortunately, on systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications, in particular, any virus protection software running on that computer.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependent on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect. It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with "Administrator" as the user name together with a blank password.

If you suspect that you are infected with the Mywife malware, or want to check whether you are infected, please contact your liaison or RCC for assistance.

II. WHO IS AFFECTED?

All Windows XP and Windows 2003 computers may be affected by this vulnerability. Macintosh users are not affected.

III. RECOMMENDED ACTION - ADMINISTRATIVE USERS ON CAMPUS

Please follow the instructions in Section IV, item 2.

IV. RECOMMENDED ACTION - ACADEMIC WINDOWS USERS and ALL HOME USERS

1) All Windows users (Administrative staff skip to item 2) must make sure that they have installed the latest anti-virus software configured by ACC (Virusscan 7.1 for XP), and that you have the latest definitions issued February 2 (dat version 4688) or later. For virus software information and downloads go to http://www.haverford.edu/acc/virus/virus.html.

2) Do not open attachments or click on web links in messages unless you are expecting them. Potential hazards, such as this current threat, are often distributed through email or other communication tools, e.g. AOL's Instant Messenger. The sender is rarely aware that such messages have been sent from his or her account; in fact, the return address on potentially hazardous messages is often forged. DO NOT ASSUME a file or web link is OK because it comes from someone you know. If you are suspicious of a message, check with the sender first.

3) Be wary of email bulletins from sources other than ACC. Many emails that describe threats to your computer are hoaxes. Tech tips from friends and relatives might work well on their networks, but may not be applicable on ours. Even if a bulletin seems to come from ACC, it may be a hoax. Again, any bulletin ACC sends will reference a page on our web site.

4) Install all necessary Windows critical updates. The best way to apply these updates is to open INTERNET EXPLORER and go to http://windowsupdate.microsoft.com/
(Note: You must use Internet Explorer; Netscape will not work.) Follow the instructions to scan for updates and install all **critical** updates identified (recommended updates and driver updates are not necessary).

If your computer is not automatically updating, see http://www.haverford.edu/acc/docs/general/osupdates.html for instructions on how to set up your computer to automatically notify you and install Microsoft updates as they are released.

V. RECOMMENDED ACTION - ACADEMIC MAC USERS

Macintosh users are not affected by this threat.

However, Macintosh users must also be sure to get all critical operating system updates and Office updates. Look for the Software Update tool in your Control Panel (OS 9) or in System Preferences (OS X) for operating system updates. For detailed instructions see http://www.haverford.edu/acc/docs/general/osupdates.html.

For information and downloads of current anti-virus software, go to http://www.haverford.edu/acc/virus/macantivirus.html

VI. FOR FURTHER ASSISTANCE

Students should contact compctr@haverford.edu or call the Helpdesk at 610-896-1480, open 9am to 5pm, Monday through Friday and until 9pm on Tuesdays. Students can also fill out a helpme form to contact their RCC directly http://www.haverford.edu/acc/helpdesk/helpme/index.htm.

Faculty members and academic staff should contact their liaison (see http://www.haverford.edu/acc/about/liaisons.html ) or call the Helpdesk at 610-896-1480, open 9am to 5pm, Monday through Friday and until 9pm on Tuesdays.

Administrative users should contact Administrative Computing (610-896-1044).