Cornell Home Page Computing at Cornell Security

Security Alert: New Windows E-mail Virus - Attachments Being Blocked (2/18/05)

This afternoon (Friday, February 18, 2005) a new e-mail virus that infects Windows systems has made a widespread appearance on campus. At this time neither Symantec Anti-Virus nor the Sophos/PureMessage anti-virus filters on the CIT mail servers are able to detect or block it.

See the updated alert issued on Monday, February 21. The virus has been identified as MyDoom.AZ, and both Symantec Anti-Virus and the Sophos/PureMessage filters are now able to detect and block or remove it.

** Please exercise extreme caution in opening e-mail attachments **

The subject line may suggest that the message originates from a Cornell address, possibly "MAIL-DAEMON@cornell.edu". This is a forgery -- it can be either another Cornell computer or an off-campus system that is spreading the infection. The examples we have seen thus far have no text or just unreadable characters in the body of the message. The virus-laden attachment can take different forms. If you open the attachment on a Windows system, the virus will infect your computer.

* E-mail attachments are being blocked

To protect campus against this threat, we are temporarily blocking delivery and transmission of e-mail with attachments that have suspect extensions (.exe, .com, etc.). Please see end of this message for a full list of the attachments being blocked.

Please note that the block includes ZIP files (with an extension of .zip) even though these are often legitimate attachments. We need to do this because ".zip" is one of the extensions being used by the virus-infected attachment.

We will lift the temporary block of selected attachment types once updates addressing this threat have been installed on the mail servers' anti-virus filters.

As is typical with these viruses, you may have received infected messages that appear to be from people you know at Cornell. That does not necessarily mean the sender's computer is infected. This virus, like many others, mails itself to any e-mail address it finds.

For more information about e-mail and viruses, see:

http://www.cit.cornell.edu/computer/security/emailvirus.html>

Thank you for your attention to this message. We hope it has proven useful.

Cornell Information Technologies
IT Security Office

If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.

You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page.

We will be temporarily blocking attachments to the mail servers with the following extensions:

*.ade
*.adp
*.bas
*.bat
*.chm
*.cla
*.class
*.cmd
*.com
*.cpl
*.crt
*.eml
*.email
*.exe
*.hlp
*.hta
*.inf
*.ins
*.jpg
*.jpeg
*.js
*.jse
*.lnk
*.msc
*.msi
*.mst
*.ocx
*.pcd
*.pif
*.reg
*.scr
*.sct
*.shb
*.shs
*.url
*.vb
*.vbs
*.vbe
*.wsf
*.wsh
*.wsc
*.zip
*.???.exe
*.???.lnk
*.???.pif

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 04, 2007