01 March 2004

Yet more Worm attacks

New variants of the Bagle worm have hit the University network.

There have now been at least eight variations of the Bagle worm: spread through email attachments when unsuspecting users on PCs open attachments containing the malicious code. Five of the variants have spread in the last week, and a number of computers in the University appear to have been infected by several of the new variants.

The return addresses of the emails with the malicious code attached are "spoofed": the emails appear to come from people that certainly did not send them.

Anyone on a PC opening the attachment infects their computer and the worm then spreads itself to email addresses found on the infected computer.

Although the Division's email server contains protection against such attacks, there is always a lag between the discovery of a new threat and the development and dissemination of the antidote files. It is within this window that malicious code attachments get through the system and into people's in-boxes.

If people continue to open attachments that contain malicious code, the Division should consider additional steps to minimise the risk of future attacks. One option is to configure the email server to remove ANY attachments from emails sent to people in the Division, although this word prevent legitimate use of email as a way of transferring for example presentations, word processing files, spreadsheets and Acrobat documents. One of the more recent Bagle worms was contained in a password-protected zip archive (the password was in the body of the email). Zip files are often suggested as a way of transferring files to bypass servers with high levels of protection against malicious code attacks, but in this circumstance the files would have got through.

The best prevention is education: users should NOT open attachments to emails until they are certain it contains benign material. If you receive an unexpected email that contains an attachment, even an email that appears to come from someone you know, contact the person who appears to have sent the email and ask them whether the email is legitimate.

PCs compromised by malicious code will be immediately disconnected from the University network and not reconnected until cleared by TSU. No computer should be attached to the University network without the permission of Client Services. It is the responsibility of the user concerned to ensure that any computer that is to be plugged into the network is clear of malicious code.

For more hints on avoiding viruses, see http://us.mcafee.com/virusInfo/default.asp?id=tips