CIT News: 2002 NewsFLASH Archive

Don't be the last one to know about viruses and outages of CIT services... join CIT-Alert-L.

CIT News

What to Watch For

Frethem is contained in an e-mail attachment. The subject of the message is "Re: Your password!" and there are two attached files. The names of those files can vary, but the most common names are Decrypt-password.exe and Password.txt.

Do not launch the ".exe" file. If launched, Frethem will try to e-mail itself to addresses it finds on your computer.

The worm may also be launched through an old MIME security vulnerability affecting versions of Internet Explorer 5.01 or 5.5 that have NOT been updated to Service Pack 2. A patch for this vulnerability has been available since March 2001.

How to Avoid It

CIT urges all Windows users to update their Norton AntiVirus software and perform a complete system scan. Frethem is detected by Norton AntiVirus software that has been updated to the July 15, 2002, virus definition file, or a newer file.

To update, run Norton AntiVirus and choose Live Update. Or download the file via Bear Access (Virus Protection folder) or via Symantec.

Also see CIT's tips for making Eudora more resistant to viruses/worms.

How to Get Rid of It

If you suspect your computer has been infected, visit this Norton AntiVirus page for instructions on how to remove the worm. If you need additional assistance, please contact the CIT HelpDesk.

July 3-8 outage: All HR and Payroll systems (05/31/02)

From Wednesday, July 3 at 6:00 p.m. until Monday, July 8 at 7:00 a.m., the following HR and Payroll systems will be unavailable:

PeopleSoft HR/Payroll system
Kronos
COLTS
Position and Employee Data Lookup (PEDL)
Student Employment System (SES)
Employee Essentials (EE)
NetID (used to create NetIDs)
Warning and Termination Letters (WTL).

Kronos users will still be able to swipe their cards, but the data will be held at the clocks until the system is restored.

The outage is needed so that the Oracle Migration team (CIT, HR, and Payroll) can finish converting all HR and Payroll systems from Informix to Oracle.

As a user of these systems, you should not see any differences in how they work. A few things you should know about:

COLTS, SES, PEDL, NetID, and WTL users: Bear Access will download an updated application.
PeopleSoft users: A new application will be downloaded. If you created shortcuts to PeopleSoft on your desktop, they will no longer work.
HR/Payroll Actuate users: Reports will be viewable but you will not be able to run new reports from July 3- July 8.
Kronos administrators: Each Kronos client PC needs to have Oracle and the Oracle Kronos application installed. Older versions of Oracle may need to be updated. The installers and connectivity settings will be available via a web page. If you are a Kronos technical support person, please subscribe to Kronos-Tech-L.

Questions or concerns should be directed to Shari Avery.

June 2 outage: All HR and Payroll systems (05/31/02)

On Sunday, June 2, from 9:00 a.m. to noon, the following HR and Payroll systems will be unavailable:

PeopleSoft HR/Payroll system
Kronos
COLTS
Position and Employee Data Lookup (PEDL)
Student Employment System (SES)
Employee Essentials (EE)
NetID (used to create NetIDs)
Warning and Termination Letters (WTL).

Kronos users will still be able to swipe their cards, but the data will be held at the clocks until the system is restored.

The outage is needed so that CIT can upgrade and then test software on the servers.

Watch out for Windows W32.Klez worm (04/23/02)

Several variants of the "Klez" e-mail worm continue to circulate at Cornell. This worm affects Windows computers. The following description attempts to encompass several variants. For details on a particular variant, please see Symantec's virus information.

"Klez" can be difficult to recognize. Typically it comes via an e-mail message that has a random subject line and message body. The worm itself is in an attachment that also has a random name ending with the extension .bat, .exe, .pif or .scr. The "from" address may be familiar to you because of the way the worm replicates itself.

Do not launch the attached file. If launched, the "Klez" worm will attempt to disable antivirus software. It may copy itself to the computer's hard drive and spread via files shared over a network. It will search the computer for e-mail addresses and attempt to mail itself to those addresses. Those addresses may also be used randomly in the "from" field, presumably to make the worm-generated messages seem legitimate to the recipients. The worm may randomly choose a file to attach to the e-mail message, so confidential or personal information could be exposed. Finally, the worm may damage some files.

WHAT YOU SHOULD DO

If you use Internet Explorer 5.01 or 5.5 and have not installed Service Pack 2 from Microsoft, you should do so. Or consider upgrading to Internet Explorer 6. If you use Outlook Express, please read the Microsoft bulletin on how to block the "Klez" worm from being launched automatically.
Update your Norton AntiVirus definitions. Variants of "Klez" (up through the "H" variant) are detected by Norton AntiVirus software that has been updated to the 04/17/2002 virus definition file (or a newer file). You can get this file by running your Norton AntiVirus software and choosing Live Update. Or you can download it directly from the Symantec web site.
Scan attachments with Norton AntiVirus. It can be set up to do this automatically. Scanned or not, don't launch attachments if you were not expecting them. "Klez" can forge the "from" address when it e-mails itself, so you may get infected messages from people you know. Take the extra time to double-check with the sender if you're in doubt.

If you suspect your computer has been infected, use the Norton AntiVirus tool to remove the worm. If you need more assistance, please contact the HelpDesk.

Windows W32.Myparty@mm worm reported at Cornell (01/29/02)

The "My Party" Trojan horse/worm has been reported at Cornell. This worm affects Windows computers.

"My Party" is contained in an e-mail attachment named "www.myparty.yahoo.com" The attachment is sent with a message that has the subject "new photos from my party."

Do not launch the "www.myparty.yahoo.com" file. If launched and the date on your computer is between January 25 and 29, 2002, the Trojan horse/worm will attempt to mail itself to everyone in the Microsoft Outlook address book, as well as to addresses in finds in Outlook Express mail boxes. Windows NT/2000/XP systems are also infected with a Trojan horse that could provide remote access to the computer.

This worm is detected by Norton AntiVirus software that has been updated to the 01/28/2002 virus definition file (or a newer file). You can get this file by running your Norton AntiVirus software and choosing Live Update. Or you can download it directly from the Symantec web site.

If you suspect your computer has been infected, contact the HelpDesk for assistance, or visit the Norton AntiVirus page for instructions on how to remove the worm.

Jan. 18 outage: CorporateTime, 9 p.m.-6 a.m. (1/18/02)

CorporateTime, the university's electronic calendar service, will be unavailable on Friday, Jan. 18, from 9:00 p.m. through 6:00 a.m.while Cornell Information Technologies does maintenance.

If you use CorporateTime, please exit or quit the application before Sunday to avoid losing your preferences for window sizes.

Jan. 13 outage: CorporateTime, 7 a.m.-2 p.m. (1/11/02)

CorporateTime, the university's electronic calendar service, will be unavailable on Sunday, Jan. 13, from 7:00 a.m. through 2:00 p.m.while Cornell Information Technologies does montly maintenance.

If you use CorporateTime, please exit or quit the application before Sunday to avoid losing your preferences for window sizes.

Last modified: December 31, 2002
Contact Person: citnews@cornell.edu