Security Update: Mytob.DG Windows Email Virus - attachments block lifted (6/8/05)
As announced in our previous alert, on Monday, June 6, 2005, a new e-mail virus that could infect Windows computers appeared on campus. This virus has now been identified by Symantec as Mytob.DG.
* Updated Symantec AntiVirus Definitions
The virus definitions for Symantec AntiVirus (SAV) have been updated to detect this virus. You should launch SAV and ensure that the Virus Definition File is version 06/07/2005 rev.16 or later.
If you don't have the current definitions, you can run LiveUpdate to download them from Symantec. They can also be retrieved locally from:
http://www.cit.cornell.edu/software/downloads/antivirus/* Blocking of e-mail attachments lifted
The Sophos/PureMessage virus filters on the CIT central mail servers have been updated and are successfully blocking messages that have the virus-laden attachment. As a consequence, we are no longer blocking delivery and transmission of e-mail with attachments that have suspect file names (including .zip files).
* How to detect and remove the virus
Once you have determined that your SAV virus definitions are current, you can scan your computer for e-mail messages that included the virus-laden attachment. SAV will quarantine any copies of the attachment.
If you inadvertently opened the attachment and so infected your system, Symantec's web page about this virus includes for cleaning the virus off your system:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.dg@mm.htmlPeople working on departmental networks should, as always, consult with local technical support personnel for assistance with updating their software and cleaning up any virus infections.
The original alert, below, has been superseded by the updated message above. Both messages refer to the same virus outbreak.
Security Alert: New Windows Email Virus - attachments being blocked (6/6/05)
This morning (Monday, June 6, 2005) a new e-mail virus that infects Windows systems has made a significant appearance on campus. At this time neither Symantec Anti-Virus nor the Sophos/PureMessage anti-virus filters on the CIT mail servers are able to detect or block it.
** Please exercise extreme caution in opening e-mail attachments **
These e-mail messages, apparently variants of the MyTob worm, are arriving under various subject lines, such as "Important Notification," "Account Alert," and "Your Email Account is Suspended For Security Reasons."
Some versions purport to be from a Cornell office, such as admin@conrell.edu, support@cornell.edu or mail@cornell.edu. This address is a forgery.
The virus-laden attachment can take different forms, including "email-info," "account-details," and "document." If you open the attachment on a Windows system, a virus may infect your computer.
* E-mail attachments are being blocked
To protect campus against this threat, we are temporarily blocking delivery and transmission of e-mail with attachments that have suspect extensions (.exe, .com, etc.). Please see end of this message for a full list of the attachments being blocked.
Please note that the block includes ZIP files (with an extension of .zip) even though these are often legitimate attachments. We need to do this because ".zip" is one of the extensions being used by the virus-infected attachment.
We will lift the temporary block of selected attachment types once updates addressing this threat have been installed on the mail servers' anti-virus filters.
* For more information about e-mail and viruses, see:
http://www.cit.cornell.edu/computer/security/emailvirus.htmlThank you for your attention to this message. We hope it has proven useful.
Cornell Information Technologies
IT Security Office
If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.
You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page
We will be temporarily blocking attachments to the mail servers with the following extensions:
*.ade
*.adp
*.bas
*.bat
*.chm
*.cla
*.class
*.cmd
*.com*.cpl
*.crt
*.eml
*.exe
*.hlp
*.hta
*.inf
*.ins
*.jpg
*.jpeg
*.js
*.jse
*.lnk
*.msc
*.msi
*.mst
*.ocx
*.pcd
*.pif
*.reg
*.scr
*.sct
*.shb
*.shs
*.url
*.vb
*.vbs
*.vbe
*.wsf
*.wsh
*.wsc
*.zip
*.???.exe
*.???.lnk
*.???.pif
Last modified: June 04, 2007