Threat Prevention Measures
Only by keeping your virus definition files and operating system updates and patches current can you remain secure from malicious worms and viruses! Download a full version of Symantec's Norton Antivirus Software (download available on-campus only) and perform Norton's "live update" frequently when connected to the campus network. Also, be sure to check for Windows updates frequently by visiting 
Microsoft Windows Update.
For additional information about current virus threats and how to protect yourself against them, visit the Symantec Security Response Web site.
As the old adage says, "an ounce of prevention is worth a pound of cure!"
Frequently Found Virus and Hacking Threats
W32.Mydoom.M@mm
From Symantec Security Response: W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A, that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer.
The email contains a spoofed From address, and the Subject and Body text will vary. The attachment name will also vary.
Note: Symantec Consumer and Enterprise products that support Worm Blocking functionality automatically detect this threat as it attempts to spread. Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 4 to a Category 3 as of July 28, 2004.
Also Known As: W32.Mydoom.M@mm_[McAfee], W32/MyDoom-O [Sophos], WORM_MYDOOM.M [Trend], Win32.Mydoom.O [Computer Associates]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP.
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX.
Removal: Download Symantec's free MyDoom Removal Tool at right.
W32.Beagle.AG@mm
From Symantec Security Response (07/19/04): W32.Beagle.AG@mm is a mass-mailing worm that uses its own SMTP engine to spread through email and opens a backdoor on TCP port 1080.
The subject line, body, and attachment name of the email vary. The attachment will have a .com, .cpl, .exe, .scr, or .zip file extension. If the file attachment is a .zip file, it will be password protected.
The worm is packed with PeX.
Also Know As: WORM_BAGLE.AH [Trend], W32/Bagle.ai@MM [McAfee], W32/Bagle-AI [Sophos], Win32.Bagle.AI [Computer Associates].
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.
Systems NOT Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x.
Removal: Download Symantec's free Beagle Removal Tool (FxBeagle.exe) at right.
Vulnerability in Task Scheduler Could Allow Code Execution
News from Microsoft Corporation:
This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer. The vulnerability is documented in the Vulnerability Details section of this bulletin.
If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
OIT recommends that all users of affected systems apply the Microsoft Update immediately. Instructions for applying updates can be found on the right-hand pane of this web page.
Campus Systems Affected
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Campus Systems NOT Affected
The Dabber Worm
Symantec Security reports that W32.Dabber.A is a worm. According to Symantec, "this worm propagates by exploiting [a] vulnerability in the FTP server component of W32.Sasser.Worm and its variants." This worm will only infect those users who are already infected by the Sasser Worm. Affected systems include Windows 2000 and Windows XP.
Who is vulnerable?
Anyone running the Microsoft Windows XP operating system (including Service Pack 1) or the Windows 2000 operating system (including Service Packs 2, 3, or 4) are at critical risk and must obtain the current Windows Updates. Those running Windows ME, Windows 98 or Windows 98 SE are not critically affected, so should not be concerned.
If you think your computer has been affected, then please read the documents listed in the right-hand pane for more information or contact the Helpdesk at helpdesk@anselm.edu or phone on-campus extension xHELP (4357).
The Sasser Worm
Starting out small, the Sasser worm can do some real damage. Unlike other recent threats, Sasser doesn't need e-mail to spread. However, an email claiming to fix Sasser actually contains the Netsky worm, so always be sure to download your patches, updates, and virus definitions from trusted sites. It is important to note that up-to-date virus definitions can only cleanse the virus, but cannot prevent it. Only the proper Windows Update will prevent infection. Please read the documents listed in the right-hand pane for more information or contact the Helpdesk at helpdesk@anselm.edu or phone on-campus extension xHELP (4357).
Sasser comes in four varieties
W32.Sasser .A
W32.Sasser .B
W32.Sasser .C
W32.Sasser .D.
Microsoft reports that its teams have confirmed that the Sasser worm (W32.Sasser.A and its variants) is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011. Please read the bulletin for more information.
Who is vulnerable?
Anyone running the Microsoft Windows XP operating system (including Service Pack 1) or the Windows 2000 operating system (including Service Packs 2, 3, or 4) are at critical risk and must obtain the current Windows Updates. Those running Windows ME, Windows 98 or Windows 98 SE are not critically affected, so should not be concerned.
The Netsky Worm (W32.Netsky.D@mm[3/1/04])
Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Netsky.D@mm from a Category 3 to a Category 4 as of March 1, 2004. W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found. The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension.
W32.Netsky.K@mm [3/08/04]
W32.Netsky.K@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension. This threat is compressed with tElock.
The Beagle WormW32.Beagle.M@mm [3/13/04])
The W32.Beagle.M@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks by copying itself to folders that contain "shar" in their names. W32.Beagle.M@mm also infects files with the EXE extension.
W32.Beagle.J@mm [3/02/04]
Is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. Sends the attacker the port on which the backdoor listens, as well as the IP address. Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.