Sunday, February 05, 2006
A Tale of Two Virus Warnings
Subject: Vulnerability notification
Good Evening,
We're writing to let you know that there is an email worm that is spreading and is very dangerous. If your computer is infected with this worm, it will delete files like Word documents from your computer on the 3rd of every month, beginning this Friday, February 3rd.
Computers that are running up-to-date antivirus software should catch this worm and prevent it from installing on your computer. [Our] version of McAfee Antivirus (available from the Computer Services website) updates automatically every day. However, we strongly encourage all faculty and staff members to take time today to check their antivirus software, make sure it is updated, and run an antivirus scan of their computer.
For more information about this worm, see
[link to slightly more information]
For assistance with your antivirus software:
[Our] faculty and staff: please contact the [Our] Help Desk at [phone number] or by email at [email address].
Students and residential affiliates: please contact the Student Help Desk at [phone number] or by email at [email address].
The good: The email contained a link to a page that contained a link to enough information to figure out what this was all about.
The bad:
- The subject line. It looks too much like the kind of subject line that would be in a hoax virus email
- No information about who is vulnerable. The warning says "your computer." Computers are not affected by viruses and worms. Computer software is. In this case, the target was Microsoft Windows. Users with Macs and Linux PC's were unaffected.
- The incredible damage claim. The more incredible the damage claim (deletes important files), the more likely I am to disbelieve a warning. It's a tactic used by hoaxsters all the time. So, in order to set aside my disbelief, I would want more information.
- No indication of how it was spread. The warning calls it an "email worm." It does not specify whether it was spread by a vulnerability in the operating system (in which case, everyone with the same OS is vulnerable), or a specific email program. In reality, it was a social engineering attack! I don't even know whether I would consider it a "worm," but that seemed to be the standard terminology the anti-virus people were using. This one only spread by highly insecure email clients that automatically run attachments and by stupid people who open and run all attachments they get.
And, here's the one from the department (Institution and department name both redacted):
Subject: Please read: Important Windows security information
Good morning,
Some of you may have seen the message from [Faculty] regarding a malicious Windows worm that is set to turn on tomorrow. ([Another faculty] may have sent something similar, as well) This infection is already present on thousands of un-protected Windows computers and is programmed to switch on tomorrow, Feb. 3rd. Once started, the worm will begin over-writing or erasing Word documents, PDF files, Excel files and several other file types on both the local drive _and any connected network share_.
There is some debate over how wide-spread this threat will actually turn out to be, but there is one inescapable agreement: If you have it on an unprotected machine, it will attempt to destroy data and spread itself. Please consider this ounce of prevention, as the pound of cure is much more expensive.
FACULTY/RESEARCH/UNDERGRAD/HOME
I urge faculty, undergrad and research users (as well laptop users, home PC users) who are using Windows to make certain they are running anti-virus software on their machines and that it is set to update automatically. Current anti-virus definition should stop and remove this worm when found.
[Faculty] provides McAfee VirusScan on its computing site:
[Download website] (Listed as 'VirusScan')
ADMINISTRATIVE STAFF/G1/G2
[Department] administrative staff computers as well as machines in the grad student commons (1st & 2nd year) are under strict control and users of those machines do not need to take any additional steps today. We will be surveying them behind the scenes and possibly by visiting your desk. You are, however, reminded that your personal laptop or home machine could be infected and you should take all necessary steps to insure that your personal machine is protected, especially if you intend to interface with [Institution]'s network in any way (Dial-up, VPN, etc.).
ADDITIONAL
* Machines found to be attempting to spread this (or any other) threat may be disconnected from the network by [Faculty] without warning.
* This virus has no bearing on MacOS/OSX and Linux users (except those rare users who use Windows emulation software such as VirtualPC or VMware - please insure your virtual Windows machine, if you use one, is running anti-virus software).
* If your Windows workstation was provided by us and requires you to log onto the [Department] domain (you have a Z:\ drive) and you do not have administrative privileges, then [Department] Computer Services is responsible for this machine. All other machines are the responsibility of their owner.
* If you are interested in learning more about this worm (which goes by various names - KamaSutra, Blackworm, Nyxem-D and W32.blackmail.e) visit: http://www.lurhq.com/blackworm.html
* If you are concerned that you may have this worm or think you may have recently opened a suspicious attachment, I will be providing CD containing F-Secure's F-Force utility (and latest updates file) which you can use to help clean the infection from your machine. I will leave several copies at the reception desk at [Building and Room number]. Please view the "readme" file on the CD for instructions on running it.
Thanks,
[Sender's Name]
===================================
Systems Administrator - [Institution] [Department]
[email address]
Notice how much more information was given. The email was written in a much calmer, less alarmist tone, which is uncommon for virus hoaxes, making it more believable. It also specifies all the information a user would need to know to determine whether his/her machine was vulnerable, and what to do to ensure it wasn't. This is a good example of how to write a real virus warning.
Technorati tags: computers, virus+warnings, worm