Cornell Home Page Computing at Cornell Security

Security Alert: Sober.O Windows E-mail Virus (5/2/05)

This morning (Monday, May 2, 2005) a new e-mail virus that infects Windows systems has made a widespread appearance on campus. At this time neither Symantec Anti-Virus nor the Sophos/PureMessage anti-virus filters on the CIT mail servers are able to detect or block it.

Update: The new virus has been identified as W32.Sober.O. Both Symantec (Norton) AntiVirus and the CIT mail servers are now able to detect and filter this virus. Symantec has details at http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html

** Please exercise extreme caution in opening e-mail attachments **

These e-mail messages are arriving under various subject lines, such as "Your email was blocked," "Your password," and "Registration Confirmation." Some versions purport to be from a Cornell source, which is a forgery. The virus-laden attachment can take different forms, including "error-mail_info," account_info-text," and "Winzipped-Text_Data." If you open the attachment on a Windows system, a virus may infect your computer.

* E-mail attachments were blocked until 11:50 a.m. Tuesday, May 3

To protect campus against this threat, we temporarily blocked delivery and transmission of e-mail with attachments that had suspect extensions (.exe, .com, etc.). Please see end of this message for a full list of the attachments being blocked.

Please note that the block includes ZIP files (with an extension of .zip) even though these are often legitimate attachments. We need to do this because ".zip" is one of the extensions being used by the virus-infected attachment.

We lifted the temporary block of selected attachment types once updates addressing this threat were installed on the mail servers' anti-virus filters.

As is typical with these viruses, you may have received infected messages that appear to be from people you know at Cornell. That does not necessarily mean the sender's computer is infected. This virus, like many others, mails itself to any e-mail address it finds.

For more information about e-mail and viruses, see:

http://www.cit.cornell.edu/computer/security/emailvirus.html

Thank you for your attention to this message. We hope it has proven useful.

Cornell Information Technologies
IT Security Office

If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.

You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page

We will be temporarily blocking attachments to the mail servers with the following extensions:

*.ade
*.adp
*.bas
*.bat
*.chm
*.cla
*.class
*.cmd
*.com
*.cpl
*.crt
*.eml
*.email
*.exe
*.hlp
*.hta
*.inf
*.ins
*.jpg
*.jpeg
*.js
*.jse
*.lnk
*.msc
*.msi
*.mst
*.ocx
*.pcd
*.pif
*.reg
*.scr
*.sct
*.shb
*.shs
*.url
*.vb
*.vbs
*.vbe
*.wsf
*.wsh
*.wsc
*.zip
*.???.exe
*.???.lnk
*.???.pif

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 04, 2007