Engineering Building Infected?

[seven]

I'm hearing rumors of some massively infectious virus on the EB servers.

Can we get any official word on this?  Scope?  Vector?  Payload?

-Michael

[Gregory Bartholomew]

Yes, there is a virus going around that Sophos, the anti-virus software purchased and used in the SIUE computer labs, does not catch.

I don't remember what all names and aliases the virus is known by, but it is quite easy to see if a computer is infected with the virus.

Symptoms:

The virus uses the hidden files feature of Microsoft file systems and, to prevent users from viewing hidden files, it removes the "Folder Options" option that is normally listed under the "Tools" menu of Windows Explorer (thereby preventing people from selecting the option "view hidden files" that is listed in the "Folder Options" dialog).

The virus creates a folder called "XPCode" under C:\Program Files and shares is out to the network with permissions granted for everyone to read the contents.  The contents are a few executables labelled as games and what appears as a folder named "games" but is actually another executable (so if you click it thinking that you will be safe just viewing the contents, you will unwittingly be executing the virus on your system).

The virus also propagates by promptly copying two hidden files named "autoply.exe" and "autorun.inf" to any thumb drive that is connected to an infected computer (you should keep a eye out for these files on your thumb drive else you may be spreading the virus).

The virus also creates a one or both of the links "AdobeUpdate" and "Office Update" under the Start Menu - Startup folder such that the virus will get executed every time the computer is logged into.

I just got some printouts from Phil Busey about the virus which say that it is known as "W32/Malas-A", "W32/Malas-B", "W32/Malas-C", and "W32/Bindo" and spreads via removable storage devices, network shares, and peer-to-peer connections.

The printouts list several more modifications that the virus makes to the system, but they are many more than I care to transcribe here.

gb

[Jerry]

From ITS:

Some computers in the Engineering building have been diagnosed as having a virus.  This virus is transmitted through thumb drives / USB Drives. 

If you have used a thumb drive in the Engineering Building in the last week, we recommend that you bring that thumb drive to the Engineering Building Room 2025 or to ITS Support in Room 0005 of Lovejoy Library. Your thumb drive can then be scanned for the virus.  If you believe your thumb drive has been infected, do not use it in any other machine until it has been scanned for the virus.

If you have any questions, please contact ITS Support at 650-5500