When news about a virus, worm, or related item has been on our headline news page awhile, we move it to here, where we also keep some supplemental information about security issues.

This page is only scattered information about a few security issues that, for one reason or another, get particular attention here. The vast majority of security incidents/issues do not appear here. In other words, do not rely on this page for security information.

WTC virus - appeared September 24, 2001

This is a damaging virus

The virus arrives as an email attachment WTC.EXE or by infection from an infected web server.  Opening the emailattachment runs the program, which begins by deleting virus scanners.  One report says it deletes many more files, another says it even reformats the C: drive.

McAfee has a page on this virus.  Other anti-virus vwendors probably do also.

Nimda virus/worm - appeared September 18, 2001

Nimda is particularly virulent, spreading extremely rapidly and using much of the net's resources to do so. It infects users of Internet Explorer and Outlook. It spreads both by email and by infecting Microsoft-based web servers. It exploits a vulnerability patched by this Microsoft security patch.

"PLAGE2000" worm - Feb 1, 2001

Yet another worm (similar to a virus) has begun infecting our users.  For information on this worm, see the  Computer Associates warning  or check other anti-virus websites.

No-longer-free virus scanner

The previously-free CAI virus scanner from CAI is no longer free.

"Hybris.gen" virus

WARNING:  This virus modifies Windows' Dial-Up Networking.  After removing the virus, you must re-install Dial-Up Networking.  You may need your original Windows installation CD.

A number of our users have become infected with this virus.  The virus attempts to propagate itself by email, and many of these attempts are failures that cause the mail to wind up in the NetHeaven post office as dead letters.  As a result, we become aware of infected users.

If you received email from us telling you that you are infected with this virus and that you should view this page, then this has happened to email from the virus on your computer.  You need to use a virus scanner to clean your system of the virus.  McAfee and Norton both have web pages on this virus:

 McAfee page on the Hybris.gen virus

 Norton (Symantec) page on the Hybris.gen virus

"Eyedog" IE5 vulnerability

Users[*] of Internet Explorer 5 or Microsoft Office 2000 should visit this URL:

http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

and download and install the scriplet to fix an important IE5 vulnerability.  (Make sure the link actually takes you to www.microsoft.com.)

Your virus scanner cannot protect you from exploitation of this vulnerability.  Partly for that reason, this is fast becoming the vulnerability of choice for Internet vandals.  This is not a new vulnerability; Microsoft posted a bulletin about it many months ago.

[*] You do not have to be an actual user; you are vulnerable if the software is just installed on your PC.

"ILOVEYOU" virus - update

We have reports that variation of this virus are circulating now.  These are changed in ways designed to circumvent the filtering against this virus now in place at many sites, including here.

ILOVEYOU is a DESTRUCTIVE virus/worm - May 4, 2000

This virus/worm has been causing havoc all over the Internet.  Users familiar with editing the Windows Registry can use these instructions for manual removal from a posting by Krzysztof Zagrodzki, kzagrodzki@unizeto.pl (Poland):

• From key:  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

Remove:
"MSKernel32.vbs"
"WIN-BUGSFIX.exe"
• From key:  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"

Remove:
"Win32DLL.vbs"
• Change key:  "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page"

to be:
"about:blank"
• Restart system and remove files:
"MSKernel32.vbs"
"Win32DLL.vbs"
"LOVE-LETTER-FOR-YOU.TXT.vbs"
"WIN-BUGSFIX.exe"

These instructions probably will not completely remove this virus.  It picks the places to hide itself based on what is already on the computer it infects, destroying the original file in the process.  Users whose systems have been infected should be especially wary of any files ending with ".vbs".

On November 17, 1999 Microsoft released a new patch for the Internet Explorer "Javascript Redirect" vulnerability.  This is an update to the October 18 patch for the same vulnerability.  We urge all Internet Explorer users to download and apply this patch.  See the Microsoft announcement for instructions and information.  We also want to remind users that both the Microsoft security page and the Netscape security page exist and are important resources for users of these companies' software.  These security resources do you no good if you don't use them, and if you use the Internet you are at risk.

Like Melissa, ExploreZip distributes itself as an email attachment.  The similarity ends there, however, as ExploreZip proceeds to hunt down and delete files from your system, especially .doc, .xls, and .ppt files.  People who write software may also find their source code files are targets also.  This is a vicious one, and rumor has it that Microsoft got bitten.  For more information, see  http://www.mcafee.com/viruses/explorezip/protecting_yourself.asp

On June 14th CERT  issued an updated advisory on this virus/worm.  If you updated your virus scanner prior to June 15th (1999), do it again.  This is no ordinary virus.

Melissa is a Microsoft Word macro virus that propagates by emailing itself.  When Word opens an infected file the virus emails an infected document to the first 50 people in your Outlook address book.  For more information see http://vil.mcafee.com/vil/vm10120.asp .

ProMail is a free email program for Windows 95/98.  Version 1.21, generally available as proml121.zip,  is a "Trojan horse" program that emails personal information about you to an address at a free email service.  Nominally, it is a mail-reading program, reportedly with attractive features, such as the ability to deal with multiple email accounts.  However, when an email configuration is created, the program emails it, complete with passwords and all available information entered by the user, to an address at NetAddress, a free email service.

Whether other versions of this program are Trojans is not currently known.

A number of our users have had their systems infected by a worm (similar to a virus) called happy99.  This worm propagates itself by email, sending itself as an attachment.  If you have received it and opened the attachment, your system is probably infected.  For more information about this worm, see  http://www.netheaven.com/happy99.html .