Educause Security Discussion mailing list archives
Re: bugbear variant
From: "St. Laurent, Tim" <tstlaure () RICHMOND EDU>
Date: Thu, 5 Jun 2003 17:15:59 -0400
It is probably a very good idea to block certain extensions at your anti-virus gateway. Filter all incoming, and outgoing if you want to be nice, through this gateway. This would have prevented your campus from being affected by viruses that are in the wild. Here is a listing of the types of attachments we are blocking at our anti-virus gateway: *.ad,*.ade,*.adp,*.asd,*.asp,*.asx,*.bas,*.bat,*.bin,*.cab,*.cgi,*.chm,*.cil ,*.cmd,*.com,*.cpl,*.crt,*.dll,*.drv,*.eml,*.exe,*.hlp,*.hta,*.inf,*.ins,*.i sp,*.js,*.jse,*.lnk,*.mda,*.mdb,*.mde,*.mdz,*.msc,*.msi,*.msp,*.mst,*.mtx,*. nws,*.ocx,*.pcd,*.pif,*.prf,*.reg,*.scf,*.scr,*.sct,*.sh,*.shb,*.shs,*.sys,* .url,*.vb,*.vba,*.vbe,*.vbs,*.wms,*.wmd,*.wmz,*.ws,*.wsc,*.wsf,*.wsh I realize that there is going to be some that say that we are blocking legitimate attachments and therefore disrupting the "academic freedom" philosophy. However, we decided that we could not live with that risk in today's world. Tim ---------University of Richmond---------- Tim St. Laurent, CISSP, RHCE, MCSE Security Administrator *tstlaure () richmond edu *804-289-8655 -----Original Message----- From: Theresa M Rowe [mailto:rowe () oakland edu] Sent: Thursday, June 05, 2003 4:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bugbear variant We have been hit hard with this today. It is particularly ugly. We have Sophos at the gateway, and Norton Corporate Edition at the desktop, and the variant hit before either had an anti-virus definition available. We got definitions from Sophos at 11:30 AM and Norton at 1:30 PM. We are now doing the clean-up. While the virus seems to be stopped, it leaves behind hooker.trojan in keystroke capturing mode, and that is proving extremely difficult to clean-up. Theresa Rowe ---- Original message ----
Date: Thu, 5 Jun 2003 14:43:55 -0500 From: "Bruhn, Mark S." <mbruhn () INDIANA EDU> Subject: [SECURITY] bugbear variant To: SECURITY () LISTSERV EDUCAUSE EDU I received a phone call a short while ago from DHS,
indicating that a
new variant of Bugbear was spreading, mostly among financial institutions. That's all they told me. We haven't received
reports of
infections here at IU yet. But, information about it can be found at http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.h
tml, or
probably also at your favorite AV vendor site . M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking
Information
Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and
CIO
Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- bugbear variant Bruhn, Mark S. (Jun 05)
- <Possible follow-ups>
- Re: bugbear variant Theresa M Rowe (Jun 05)
- Re: bugbear variant St. Laurent, Tim (Jun 05)