Skip to main content

IT@Cornell


Security Alert: New E-mail Virus

Date: Sep 10, 2010

Status: Closed

Description:

The link in the message -- there is no attachment -- takes advantage of the old Windows dual
filename extension issue. It appears as a fairly innocuous PDF but executes as an SCR or EXE.

Once resident on the target system, the malware then sends new e-mail enticements to everyone in the local Outlook address book.

McAfee has a nice writeup here:

http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-repor
ting-of-here-you-have-virus/

As does SANS:

http://isc.sans.edu/diary.html?storyid=9529

Updates:

09/10/2010 12:35 PM: It appears the original download site for the bogus PDF/SCR has been taken down, though we've tactically DNS poisoned it for good measure.

Sophos, which we use for scanning electronic mail, and Symantec Endpoint Protection, both have recently released virus definitions that block the current examples of this virus. The SEP definitions are very recent, so an update is probably in order.

Cornell, like most other universities we've heard from, is seeing little to no presence of this virus on campus.

See all open alerts

See all security alerts