Policy

It is Health Sciences Center policy that all computers connecting to the HSC network have installed and up-to-date virus detection software. McAfee Virus Scan is provided to meet this requirement and is available for download here. If you have a computer on your desk or in your lab you have primary responsibility for assuring that it remains virus free and does not disrupt or corrupt the work of others.

Downloads

Downloads available on this page are dated and targeted toward coping with particular threats. Please check the descriptions carefully when choosing which to download and install.

McAfee Stinger v2.4.7 (1/3/05) - Click to Download

Standalone virus removal tool from McAfee. This version cleans the following viruses/worms:

W32/Anig.worm, W32/Bagle, Exploit-DcomRpc, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, PWS-Narod, W32/Sdbot.worm.gen, BackDoor-JZ, BackDoor-AQJ, BackDoor-CFB, Backdoor-CHR, IPCScan, NTServiceLoader, PWS-Sincom.dll, W32/SQLSlammer.worm, W32/Blaster.worm, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Dumaru, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Korgo.worm, W32/Mimail, W32/MoFei.worm, W32/Mumu.b.worm, W32/Doomjuice.worm, W32/Mydoom, W32/Nachi.worm, W32/Netsky, W32/Nimda, W32/Pate, W32/Sasser.worm, W32/SirCam@MM, W32/Sobig, W32/Sober, W32/Swen@MM, W32/Yaha@MM, W32/Zafi, W32/Zindos.worm, Bat/Mumu.worm

Individual Patches

These patches cure specific issues and do not represent all of the patches available from Microsoft. Installation of these does not negate the need to regularly run Windows Update.

LSA Shell (Sasser) Vulnerability Patches 835732 (MS04-011)

Windows XP Patch - DOWNLOAD - This patch will protect against infection by Sasser and related worms.
Windows 2000 Patch - DOWNLOAD - Requires at least Service Pack 2 to be installed first.
Windows NT v4 Patch - DOWNLOAD - Requires at Service Pack 6a.

RPC Vulnerability Patches 824146 (MS03-039) - Supercedes 823980 (MS03-026):

Windows XP Patch - DOWNLOAD - This patch alone should be all that is required to protect Windows XP machines.
Windows 2000 Patch - DOWNLOAD - You will need to install the Windows Service Packs for Windows 2000 prior to running this patch. Service Pack 4 is available below.
Windows NT Patch - DOWNLOAD - This patch alone should be all that is required to protect Windows NT v4 machines.

Windows 2000 Service Pack 4 - DOWNLOAD - This service pack fixes many known issues with Windows 2000 and is required before the RPC vulnerability patch will run. This download is over 130 megabytes and will take a long time over a dial-up connection. You may bring a blank CD-R to our office at MDC 1054 and we will burn the service pack to it if you wish.

Information and Alerts

We would strongly recommend turning on the Windows Update feature. Call our Support Desk at 974-6288 for help if needed.

Current Alerts

Microsoft's November Update to Contain Just One Patch

(17 November 2005)

Microsoft's monthly security update for November will contain just one patch, which is for a critical flaw in Windows, according to advance notification from the company. The fix will require users to restart their machines. The update will be released on Tuesday, November 8, 2005. The release will also include a number of high-priority, non-security related updates.

http://www.computerworld.com/printthis/2005/0,4814,105950,00.html

http://www.microsoft.com/technet/security/bulletin/advance.mspx

4-13-05 Microsoft releases Security Bulletin

Microsoft has released a Security Bulletin Summary for April, 2005.This summary includes several bulletins that address vulnerabilities in various Windows applications and components. Exploitation of some vulnerabilities can result in the remote execution of arbitrary code by a remote attacker.

Please visit Windows Update to ensure your computer is patched up to date.

3-16-05 MSN Messenger users beware
(from SANS Security news bite http://www.sans.org)

Researchers have detected a variety of worms that are spreading through MSN Messenger. Some are Bropia variants; two others, Kelvir and Sumom, are capable of installing the Backdoor.Rbot Trojan. The number of worms using IM to spread is increasing. In the first six weeks of 2005 alone there have been 10 IM worms, three times the number for the same period last year.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39220754-39037064t-39000005c
http://www.eweek.com/print_article2/
0,2533,a=147185,00.asp
http://www.computerworld.com/securitytopics/
security/virus/story/0,10801,100264,00.html
[Editor's Note (Northcutt): this is a classic security awareness problem. We need to remind our users not to click on the link for the URL sent in these IMs.

3-16-05 - Student convicted for file sharing

Parvin Dhaliwal, a student at the University of Arizona, has pleaded guilty to possession of unauthorized copies of intellectual property, a Class 6 Felony under the state's new piracy law. Mr. Dhaliwal had uploaded digital copies of recently released films and music believed to be valued at $50 million dollars; some movies such as Matrix Revolutions were still playing in theaters. Mr. Dhaliwal received a sentence of 3 months in jail, 3 years probation, 200 hours of community service and a US$5,400 fine. He is also required to take a university class on copyright issues.
You can read more at http://www.msnbc.msn.com/id/7122133/

2-23-05 - Fake FBI e-mails contain PC virus

The FBI warned Tuesday that a computer virus is being spread through unsolicited e-mails that purport to come from the FBI. The e-mails appear to come from an fbi.gov address. They tell recipients that they have accessed illegal Web sites and that their Internet use has been monitored by the FBI's ``Internet Fraud Complaint Center,'' the FBI said. The messages then direct recipients to open an attachment and answer questions. The computer virus is in the attachment.``Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner,'' the FBI said in a statement.

1-31-2005 - From an article on eweek.com

http://www.eweek.com/article2/0,1759,1756636,00.asp?kc=ewnws013105dtx1k0000599)
Virus writers have once again gotten the drop on anti-virus vendors and IT administrators with a new technique that's finding early and considerable success. Late last month, administrators and service providers began seeing virus-infected messages with a new type of attachment hitting their mail servers: an .rar archive. .Rar files are similar to .zip files in that they are containers used to hold one or more compressed files. The .rar format is not as widely known as .zip, but it is used for a number of tasks, including compressing very large files, such as music and video.
The emergence of .rar-packed viruses highlights the lengths to which virus writers are willing to go to evade anti-virus systems, as well as the limitations of those traditional signature-based defenses.
Experts say .rar files carrying viruses have been sailing past commercial anti-virus products and finding their way into the mailboxes of users, who are often unfamiliar with the file format. Administrators who have seen .rar-packed malware say that none of the messages have been stopped by their anti-virus defenses.

1-5-2005 -

The Holiday season brought with it a new round of vulnerability notices and virus warnings, please ensure you keep all patches and antivirus software up to date.

1-4-2005

During the week between Christmas and New Years a Microsoft SQL Slammer worm attack was launched on all computers on campus. This worm attacks an old vulnerability in Microsoft SQL server and the Microsoft SQL Desktop Engine used in many programs. 15 computers across the campus where compromised. Please ensure you run Windows Updates to make sure your computer is patched up to date

5-5-2004 - Sasser Worm Inside Firewall

As Feared, the Sasser worm has been introduced inside the HSC firewall, probably from an infected laptop. There are two symptoms. 1) Your computer constantly reboots. 2) Your computer rebooted once and now you do not seem to have an internet connection (because we have disabled your port). In either of these cases you may call the Support Desk at 974-6288 for assistance.
If you wish to clean your own computer: If your machine is infected and you are reading this from an uninfected machine that has a CD burner that you know how to use, download Stinger (found in the left column of this page) to remove the virus and the appropriate patch (below) to protect the computer from reinfection, burn them to CD and follow the steps below for cleaning.

If you do not have a CD burner, but have a blank writable CD ROM, you may bring it to our office and we will burn it for you.

Cleaning from CD:

Boot the infected computer into Windows Safe Mode. Turn the computer off, then back on and begin repeatedly hitting the F8 key about once per second. In a minute a menu should be presented that offers to start in Normal or Safe Mode. Start in Safe Mode without network support.
Insert the CD into the infected computer's CD drive.
Right click the Start button and select Explore from the menu that is displayed.
Find the CD drive. If you burned the CD, Stinger will be in the place you selected. If you get the CD burned by us it will be in the root directory of the CD.
Run Stinger and click Scan have it scan your computer.
Run the patch after Stinger completes. The patches names begin with the Windows version, i.e. Windows200-... or WindowsXP-...
After the patch is installed reboot the computer. If your network port has been disabled call the Support Desk at 974-6288 and we will add the port to the list to be re-enabled.

Sasser Patch for Windows XP (all versions)

Sasser Patch for Windows 2000 (Service Pack 2 or newer)

Sasser Patch for Windows NT 4 (Service Pack 6a)

McAfee Stinger.

See the instructions below for setting up Automatic Windows Updates below to help protect against future infections.

McAfee VirusScan

It is Health Sciences Center policy that all computers attaching to our network have virus scanning software installed, running, and up-to-date. The University provides a site license that covers all USF computers as well as personally owned home equipment belonging to faculty, staff, or students.

Click Here to Download McAfee VirusScan

Windows Update

It is vital to keep up with current patches for Windows to avoid many of the latest worms and viruses. Follow these quick steps to set it to check for updates automatically in the future, then click on the link below to get your computer up to date now.

1. Go to the Automatic Updates dialog box. For Windows XP, Click Start; right-click on My Computer; choose Properties; then Automatic Updates. For Windows 2000, click Start and go to the Control Panel. Double-click on the Automatic Updates icon. If you aren't sure what version of Windows you have, right-click on My Computer and choose Properties and your version will be displayed in the General tab.

2. In the Automatic Updates dialog box, put a checkmark in "Keep my computer up to date." Then click the middle setting, "Download the updates automatically and notify me to install them." Click Apply and OK.

3. From now on, whenever there are new updates you will see a small balloon in your lower screen alerting you to install them; click on the balloon to be walked through it. When you see this alert, you must click to install them or your computer will not be up to date.

Click Here to Run Windows Update Now

Information Resource Links

McAfee VirusScan Updates & Upgrades
McAfee Virus Information Library
Symantec Security Response Page