Fwd: US-CERT Cyber Security Alert SA04-079A -- Continuing Threats to Home Users
- This is rather long, but it is along the same line as earlier e-mails
from others in the group. I have been getting a lot of Netsky viruses
lately in attachments from people I don't even know. My Norton Antivirus
is catching them. As luck would have it, I received this alert from CERT
about this virus and others. I pass it on to you as it makes a great deal
of sense and I don't want to see anyone I know infected with one of these
viruses. It could slow their computer down as the virus tries to send
messages out and/or compromise the security of their files. I hope you or
someone you know will find this useful.
National Cyber Alert System
Cyber Security Alert SA04-079A - Continuing Threats to Home Users
Original release date: March 19, 2004
Last revised: --
There are a number of pieces of malicious code spreading on the
Internet through email attachments, peer-to-peer file sharing networks
and known software vulnerabilities.
Intruders target home users who have cable modem and DSL connections
because many home users do not keep their machines up to date with
security patches and workarounds, do not run current anti-virus
software, and do not exercise caution when handling email attachments.
Everyone should take precautions, patch vulnerabilities, and recover
if you have been compromised.
US-CERT is currently tracking the incident activity related to several
pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and
* Phatbot Trojan Horse
The Phatbot Trojan Horse is a piece of malicious code that allows
a remote attacker to control a large number of systems. Phatbot
attempts to propagate by exploiting vulnerabilities in the
Microsoft Windows operating system for which users have not
applied the available patches. If your computer is infected a
remote attacker will have access to your files and programs.
* W32/Beagle Virus
The W32/Beagle virus is a mass-mailing virus that arrives as an
attachment to an email message. To be infected, a user must open
the attachment. There are many variants of this virus. Some may
require a password which is included in the email message.
* W32/Netsky Virus
The Netsky.B virus, described in IN-2004-02, is a mass-mailing
virus that attempts to propagate either as an attachment to an
email message or by copying itself to Windows network shares.
* W32/MyDoom Virus
The MyDoom virus, described in TA04-028A, is a mass-mailing virus
that attempts to propagate as an attachment to an email message.
There are steps you can take to better protect your system from these
1. Apply Patches
Many viruses spread by exploiting known vulnerabilities in
unpatched systems. It is very important for users to apply
security-related patches to their operating systems and
2. Install and Maintain Anti-Virus Software
US-CERT strongly recommends using anti-virus software. Most
current anti-virus software products detect and alert the user of
viruses. It is important to keep them up to date with current
virus and attack signatures supplied by the software vendor. Many
anti-virus packages support automatic updates of virus
definitions. We recommend using these automatic updates when
3. Deploy a Firewall
US-CERT also recommends using a firewall product. In some
situations, these products may be able to alert users to the fact
that their machine has been compromised. Furthermore, they have
the ability to block intruders from accessing backdoors over the
network. However, no firewall can detect or stop all attacks, so
it is important to continue to follow safe computing practices.
4. Follow Best Practices
The technical measures listed above do not provide a complete
solution for securing a system. There are some best practices you
+ Do not download, install, or run a program unless you know it
was written by a person or company that you trust.
+ Email users should be wary of unexpected attachments. Be sure
you know the source of an attachment before opening it. Also
remember that it is not enough that the mail originated from
an email address you recognize. Many viruses spread precisely
because they originate from a familiar email address.
+ Users should also be wary of URLs in email or instant
messages. URLs can link to malicious content that in some
cases may be executed without user intervention. A common
social engineering technique known as "phishing" uses
misleading URLs to entice users to visit malicious web sites.
These sites spoof legitimate web sites to solicit sensitive
information such as passwords or account numbers.
+ In addition, users of Internet Relay Chat (IRC), Instant
Messaging (IM), and file-sharing services should be
particularly careful of following links or running software
sent to them by other users. These are commonly used methods
among intruders attempting to build networks of distributed
denial-of-service (DDoS) agents.
For additional information about securing home systems and
networks, please see the references below.
If the protective measures above, or other indicators, reveal that a
system has already been compromised, more drastic steps need to be
taken to recover. In general, the only way to ensure that a
compromised computer is free from backdoors and intruder modifications
is to re-install the operating system and install patches before
connecting back to the network. Sometimes using an anti-virus software
package to "clean" the system may not be enough.
* Cyber Security Alert SA04-079A
* Before You Connect a New Computer to the Internet
* Home Network Security
* Home Computer Security
* Understanding Firewalls
* Good Security Habits
* Choosing and Protecting Passwords
Author: Brian B. King, Damon Morda
Copyright 2004 Carnegie Mellon University.
March 19, 2004: Initial release