noticeboard.ru.ac.za

2010/11/05 - E-mail Virus Circulating Rapidly
There's currently a virus in wide circulation at Rhodes. This virus is not yet detected by any of the major anti-virus software (F-Secure, AVG, Kaspersky, NOD32, Microsoft Security Essentials, Trend, Avast, etc) and is therefore spreading rapidly.

The virus is distributed via e-mail and appears to be a message from a various e-card and social messaging sites. Known addresses used by the virus are invitations@hi5.com, invitations@twitter.com, e-cards@hallmark.com, resume-thanks@google.com, and update@facebookmail.com. The e-mail message contains a ZIP file. These files have various names (Postcard.zip, Facebook message.zip, Invitation Card.zip, etc). Each ZIP file contains a single executable, usually document.exe.

Under no circumstances should you open this .exe file. It is a virus that will infect your computer, and then begin to distribute itself. Remember that, in general, you should never open attachments unless you are expecting to receive them.
In order to contain the spread of this virus, we've configured our mail servers to reject any file with a .zip extension. This will prevent the virus from spreading further, but it will also prevent people from sending legitimate .zip files by e-mail.

If you need to distribute a file as a .zip, please use one of the web-based files sharing services. Rhodes users can upload their files to http://files.ru.ac.za/.
We've configured the IMAP server to deliver a broadcast message on login. Unfortunately the webmail client (Horde) does not support these properly and causes logins to fail. As a result, people will currently be unable to log in to webmail.

This is a temporary situation to disseminate information as quickly as possible. We'll remove the message at around 2.30PM. Once this happens, webmail logins will start working again.
The anti-virus software we use on our mail servers now has signatures to detect this virus (it's known as Win32.Buzus-8522). As a result we've removed the restriction on sending ZIP files; you can now send these attachments as normal.

We've also configured our outgoing mail servers (but not the incoming ones) to reject messages with a sender of e-cards@hallmark.com, invitations@hi5.com, invitations@twitter.com, resume-thanks@google.com, order-update@amazon.com, and update@facebookmail.com. These are the five addresses we've seen this virus attempt to use.
Whilst F-Secure, which is widely used at Rhodes, now correctly detects this virus as Win32.Buzus, it is unable to remove it properly. This is true of several other anti-virus products we've tested.

If your PC is infected, please find instructions for removal at http://noticeboard.ru.ac.za/docs/buzus-removal.pdf.
If your PC is seeing an ERR_MANUAL_VIRUS error message when trying access the Internet, then you're almost certainly infected with this virus. We're detecting infections as they attempt to mail copies of the virus out to other users on our network.

If you're receiving this error, please follow the instructions it contains. Note that we'll only remove you from our block list once we've verified that your machine is no longer attempting to infect people. Because of the large number of people who're infected, we'll be doing this in batches twice a day. Thus you can expect it to take up to a working day after you've informed us you've cleaned your machine before we reinstate your Internet access.
post.5532478