April 28, 2004
To: UCOP Personnel
From: Patrick Collins, Director, IR&C Information and Communication
Services
Recent Worm Attack
On April 20, many UCOP employees received a barrage of e-mail
messages with worm-infected attachments. I am writing to explain the
nature of that attack and to tell you about steps IR&C is taking
to minimize the impact of future attacks.
Last week's attack was a new variant of the Netsky e-mail worm. For
the first few hours after a new worm or virus appears, a window of
vulnerability exists before vendors develop automated virus scanning
tools to combat that particular worm or virus. This is why UCOP employees
initially received infected attachments: Neither the UCOP e-mail server's
virus scanner nor our desktop anti-virus software had the tools to
identify the attachment as a worm. As with other recent worms, the
Netsky worm spoofs the sender's address--using e-mail addresses found
on infected computers--to try and trick the recipient into opening
the infected attachment. At UCOP approximately 130 recipients opened
the attachments, thus infecting their own computers and triggering
further propagation of the worm both inside and outside of UCOP.
As quickly as possible, IR&C reconfigured the e-mail server to
delete the infected attachments, identified the infected computers,
and asked PC Coordinators to immediately disconnect infected computers
from the network and clean them. As soon as virus scanning tools were
available, we installed them on the e-mail server and desktops.
New Policy for Managing Worm/Virus
Attacks
To better manage the vulnerability window after new viruses
appear and before virus scanning tools are available, IR&C has
decided to begin automatically deleting a large number of suspect
e-mail attachment files that almost never are relevant to typical
e-mail users. Microsoft Office files, PDF files, and other
commonly used files will not be deleted. You may
obtain the specific criteria that will be used to block suspect attachments
from your departmental PC coordinator. When attachments are deleted, you will receive the original
message along with the alert that appears below:
= = = = = = = = = = = = = = = = = = = =
WARNING: UCOP MAIL SCANNER ALERT
This message had the following potentially dangerous attachment(s)
(filename) removed due to virus detection or violation of file name
policy. Your PC Coordinator has more information about blocked file
names.
WARNING: UCOP MAIL SCANNER ALERT
= = = = = = = = = = = = = = = = = = = =
We realize that by taking this action there is a small risk of our
withholding legitimate attachments, but we believe this risk is far
outweighed by the benefit of reducing our vulnerability during future
virus and worm attacks. Many other private and public organizations
are taking similar steps to ensure a secure computing environment.
Think Twice before Opening Attachments
Please do not open any attachment unless you are sure the
sender meant to send it to you; infected messages are often sent using
the addresses of people you know. The legitimacy of a message is usually
evident by the text in the body of the e-mail. If you are unsure about
an attachment, please ask your PC Coordinator to assess its validity.
If you inadvertently open an attachment that initiates suspicious
activity on your computer, immediately notify your PC Coordinator.
Definitions of Terms
Computer worm: http://encyclopedia.thefreedictionary.com/Computer+worm
Computer virus: http://encyclopedia.thefreedictionary.com/computer%20virus
For Information
Contact IR&C Desktop Computing Services at 987-0457 or
pchelp@ucop.edu if you have questions or concerns.