Re: bugbear variant

["St. Laurent, Tim" <tstlaure () RICHMOND EDU>]

It is probably a very good idea to block certain extensions at your
anti-virus gateway.  Filter all incoming, and outgoing if you want to be
nice, through this gateway.  This would have prevented your campus from
being affected by viruses that are in the wild.  Here is a listing of the
types of attachments we are blocking at our anti-virus gateway:

*.ad,*.ade,*.adp,*.asd,*.asp,*.asx,*.bas,*.bat,*.bin,*.cab,*.cgi,*.chm,*.cil
,*.cmd,*.com,*.cpl,*.crt,*.dll,*.drv,*.eml,*.exe,*.hlp,*.hta,*.inf,*.ins,*.i
sp,*.js,*.jse,*.lnk,*.mda,*.mdb,*.mde,*.mdz,*.msc,*.msi,*.msp,*.mst,*.mtx,*.
nws,*.ocx,*.pcd,*.pif,*.prf,*.reg,*.scf,*.scr,*.sct,*.sh,*.shb,*.shs,*.sys,*
.url,*.vb,*.vba,*.vbe,*.vbs,*.wms,*.wmd,*.wmz,*.ws,*.wsc,*.wsf,*.wsh

I realize that there is going to be some that say that we are blocking
legitimate attachments and therefore disrupting the "academic freedom"
philosophy.  However,  we decided that we could not live with that risk in
today's world.

Tim

---------University of Richmond----------
Tim St. Laurent, CISSP, RHCE, MCSE
Security Administrator
*tstlaure () richmond edu
*804-289-8655




-----Original Message-----
From: Theresa M Rowe [mailto:rowe () oakland edu]
Sent: Thursday, June 05, 2003 4:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] bugbear variant


We have been hit hard with this today.
It is particularly ugly.  We have Sophos at the gateway, and Norton
Corporate Edition at the desktop, and the variant hit before either had an
anti-virus definition available.  We got definitions from Sophos at 11:30 AM
and Norton at 1:30 PM. We are now doing the clean-up.

While the virus seems to be stopped, it leaves behind hooker.trojan in
keystroke capturing mode, and that is proving extremely difficult to
clean-up. Theresa Rowe




---- Original message ----
> Date: Thu, 5 Jun 2003 14:43:55 -0500
> From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
> Subject: [SECURITY] bugbear variant
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
> I received a phone call a short while ago from DHS,
indicating that a
> new variant of Bugbear was spreading, mostly among financial
> institutions.  That's all they told me.  We haven't received
reports of
> infections here at IU yet.
>
> But, information about it can be found at
> http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.h
tml, or
> probably also at your favorite AV vendor site .
>
> M.
>
> --
> Mark S. Bruhn, CISSP
>
> Chief IT Security and Policy Officer
> Interim Director, Research and Educational Networking
Information
> Sharing and Analysis Center (ren-isac () iu edu)
>
> Office of the Vice President for Information Technology and
CIO
> Indiana University
> 812-855-0326
>
> Incidents involving IU IT resources: it-incident () iu edu
> Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.