Commonwealth Office of Technology

• Security Home
  • Security Main Page
• Alerts
  • Security Alerts
• Policies
  • Security Policies
  • SSPM Manual
• Anti-Virus Info
  • Anti-Virus Info
• Newsletters & Info
  • Cyber Security
  • Cyber Security Awareness
  • Security FAQ
  • Video: Public Folders
• Additional Resources
  • Security Forms
  • Security Links
  • COT Responsibilities

COT Security Alert - Fraudulent Microsoft E-mail UPDATE

From: Ritchey, Gail (COT)

Sent: Monday, April 02, 2007 11:25 AM

To: COT Constitutional CIO Security Contacts; COT Cabinet CIO Security Contacts; COT Commonwealth Technology Council

Cc: COT Exchange Administrators; COT Security Alert Contacts; COT Security Contact COT-Support; COT Security Contact Pass; COT Security Contact Self-Support; COT Technical Contacts; SecurityContacts Group

Subject: COT Security Alert: Fraudulent Microsoft Email Update

COT Security Alert

COT recently issued an Alert about an email claiming to come from Microsoft that enticed users to install Microsoft Internet Explorer 7 by clicking on a graphic image embedded in the email. This infection is called W32/GRUM by McAfee. Research of the virus in the COT lab and from other sources has revealed more information about the infection. Although McAfee has issued updated DATS which help to clean the infection, the infection included a "root kit". A root kit is a piece of code that can change and hide its true behavior. Basic operating system files can be changed to report normally, even though they are not normal at all. Devices infected with a rootkit are no longer secure. The behavior or extent of system compromise on devices that have been infected with a root kit is not easily determined. While "cleaning" the system with McAfee may appear to be effective temporarily, it is not reliable. COT recommends that all devices infected with W32/GRUM be reformatted and rebuilt as soon as it is practical.

NOTICE: COT is providing this information so that you are aware of the latest security threats, vulnerabilities, software patches, etc. You should consult with your network administrator or other technical resources to ensure that the appropriate actions for these alerts are followed. If you are a network administrator and need additional information, please call the Help Desk at 502.564.7576.

Security Administration Branch
Division of Technical Services
Commonwealth Office of Technology
1266 Louisville Rd., Perimeter Park
Frankfort, KY 40601
Commonwealth Service Desk Phone: 502.564.7576
ServiceCorrespondence@ky.gov 
COTSecurityServicesISS@ky.gov