Home Discover LAUSD Offices Resources Schools Contact Us
 Virus Information
 Tech Support Home 
 LAUSDnet Dial-up
 Email Setup
 Virus Information
 Software Information
 TechRep Page
Support Options
 Phone Support Options
 Self-Service & Passwords
 Scheduled Upgrades
 IT Service Catalog

Get Adobe Reader
High Threat Alert

This section displays more recently reported viruses that appear to be a HIGH threat.

ITD HAS RECEIVED INCREASED REPORTS ABOUT A TROJAN VIRUS INFECTING SOME DISTRICT MACHINES:  The Trojan.Vundo.B can be received from a computer that is sharing files on the network. Please visit this link for removal information: Trojan.Vundo.B

Please note: Using any removal tool requires you to start Windows in SAFE MODE. Follow these instructions from the Microsoft web site starting Windows in SAFE MOVE. How to Use Safe Mode to Troubleshoot Setup Problems

Blackworm Virus: As mentioned on the Tech Support home page, this virus will attempt to delete/overwrite certain document files on your system. ITD is working to make sure we are protected as a District. You want to make sure that, as always, you keep your anti-virus and operating system files up to date.

Note: There is a potential that your computer can become infected by this virus before your computer's virus definitions have been updated. At this point you will need to run a separate removal tool. You can get more information about this virus, and the removal tool, from the District's anti-virus software provider Symantec: http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

Also, you can find information at the SANS Technology Institute web site: http://isc.sans.org/diary.php?storyid=1067

Worms Target Unpatched Windows Systems: A new worm, and its variants, called Zotob and RBOT and affecting Windows systems that don't have the latest patches installed, has been unleashed. Microsoft released the patch last week to correct problems with the Plug and Play service. The vulnerability affects Windows 2000, Windows XP, and Windows Server 2003.

You can obtain more information on how to keep your system software updated by visiting our SOFTWARE page. More information about viruses and how to protect yourself from them can be found on our VIRUS INFORMATION page.

You can find more information about the Zotab and RBOT worms at http://www.symantec.com/.
Virus sending bogus account deletion messages: Mytob is a new virus that appears to be spoofing certain address like webmaster@lausd.net and webmaster@lausd.k12.ca.us, support@lausd.net, etc. and warning users that their account will be deleted. Note: These are false messages. These addresses would never be used to send out a message of this type. You can find more information about this virus at the Symantec web site by clicking here
Worm virus sends German SPAM e-mail: Sober.q began spreading quickly online over the weekend. Some E-mail users are reporting a barrage of German-language SPAM being received in their in-boxes recently.

The Symantec Security Response site has more information about the entire Trojan.Ascetic.C virus that have been circulating over the past few weeks.

You should immediately check for the most recent SAV virus files from Symantec. For instructions on how to perform this update, either automatically or manually, look for instructions on our Software Information page.

LAUSD E-mail Users Beware:
There appears to be a new version of an old virus that is making its way around the Internet. These types of messages intend to "fool" the recipient into believing this message is from someone of authority on their mail system.

I have been assured by our Security group that we would not send a message like this from the address and "team name" it used. We would give a specific name or would give our Help Desk information as a source to contact.

Customers can safely ignore this, and any future message of this type, unless they come from the Help Desk.

Click Here for a sample of the e-mail message.

SECURITY AND VIRUS ADVISORIES (01/26/06)
Blackworm Virus: This virus will attempt to delete/overwrite certain document files on your system. ITD is working to make sure we are protected as a District. You want to make sure that as always, you keep your anti-virus and operating system files up to date.

You can find more information about these items at our Virus information page.

Microsoft Vulnerabilities: A Microsoft Security Bulletin Summary has been issue and contains information on 3 new vulnerabilities. You can view this document on the Microsoft web site at: http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx A reminder: Microsoft has a Malicious Software Removal Tool. To read more information about this tool and to download the software, visit the Microsoft web site: http://go.microsoft.com/fwlink/?LinkId=40573

Also, there is anti-spyware software vendors that provide low cost or donation based spyware removal tools. These are helpful in detecting spyware and other malicious software that might become installed on your system due to these vulnerabilities.

TWO MICROSOFT SECURITY ADVISORIES (01/05/06)
Microsoft has announced two serious issues involving the Windows OS. One exploits an "extremely critical flaw" in Windows Metafile Format (.wmf). Currently thousands of sites are distributing an exploit code via web sites to others who are using it to perform malicious acts. Microsoft states even fully patched systems are vulnerable to malicious attackers.

One malicious act that is being performed is the distribution of spyware and other unwanted software which replaces users' desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.

Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

Microsoft is currently working on an update that will fix this vulnerability. In the meantime, be careful about opening any suspicious e-mails or visiting unknown sites. Also, make sure you have AUTOMATIC UPDATES enabled on your system. If you don't have AUTOMATIC UPDATES turned on, you can turn it on when you visit the Microsoft Update site. Using a spyware removal/blocker utility is also recommended. LAUSD does not have any recommendations on which ones to use but there are several available at a low or no cost (donations).

More information about this vulnerability can be found at: http://www.microsoft.com/technet/security/advisory/912840.mspx

A second issue involves the W32/Sober.Z virus. Sober.Z is a mass mailing worm. When first run it creates the directory "WinSecurity" in the Windows directory and creates there three copies of itself under the names "services.exe","smss.exe" and "csrss.exe".

You should be protected by the virus if you keep your anti-virus software updated on a regular basis. Also, AUTOMATIC UPDATES will make sure your system receives any critical updates that Microsoft may release. Microsoft also has a tool available called: Malicious Software Removal Tool. This is available from the Microsoft web site and will scan your system for any malicious software known to Microsoft. Microsoft expects an update to this tool by January 10 that will help detect these latest threats.

More information about the W32/Sober.Z virus can be found at: http://www.microsoft.com/technet/security/advisory/912920.mspx

Related Information and Web Sites

Symantec Anti-Virus software for District computers and District Employee's home use.
District Employees and sites may download anti-virus software here: http://software.lausd.k12.ca.us/ . (Note: This link is only available to computers on LAUSDnet. This link can not be accessed from non-LAUSD Internet Service Provider connections.)

For instructions on how to ensure your virus definitions in Symantec Anti-Virus are updated, Click Here

Symantec offers removal tools for machines that have been infected:

W32.Sobig.F@mm Removal Tool
W32.Blaster.Worm Removal Tool
W32.Welchia.Worm Removal Tool

For more information about tools available from Symantec go to http://www.sarc.com/

Virus News
Information about several viruses that have been reported from users here at the District.
BEAGLE virus is the cause of "bogus" message to LAUSD E-mail users that their account is being deleted or disabled:

The virus known as the BEAGLE virus is causing many Internet e-mail users to panic over an announced deletion of their account. The strain of Beagle virus that appears to be causing this problem is called: w32.beagle.k@mm or Beagle K. You can find more information about it at the Symantec Web site: Click Here

The virus parses the domain name form the e-mail address and spoofs itself as an administrator or manager account. For instance, LAUSD.NET user would receive e-mail from administrator@lausd.net stating the management of the LAUSD.NET mail system will be disabling their account because of suspicious activities. (This is a FALSE message.)

A similar e-mail is sent to users with a LAUSD.K12.CA.US account with it stating the management of the “ca.us” mail system is terminating their account.

The virus should be under control in the LAUSD mail structure because our Anti-Virus gateway should be detecting it. It also carries an attachment which is quickly stripped by Norton Anti-Virus and replaced with a dummy file.
Several Internet Viruses and worms, including the “Slammer/Blaster Worm” , the “Sobig.F” virus and the “Welchia Worm” (aka "Nachi Worm") are propagating through the Internet. Some unprotected systems within the District’s networks may be at risk. Click here for the latest information, instructions and to read a letter from the CIO regarding this issue.

On Monday, January 26, 2003 a email worm called "MyDoom" or "Novarg" began rapidly circulating throughout the Internet. The virus affects Microsoft Windows 95/98/NT/2000/XP/2003 Operating Systems. Click here for the latest information, instructions

Sober.q began spreading quickly online over the weekend. Some E-mail users are reporting a barrage of German-language spam being received in their in-boxes recently.

W32.Klez.H@mm is designed to spread through email. It has over 100 randomly selected subject lines, and uses several different file attachment names when attaching itself. Please read this document carefully. The worm also masquerades as a "Klez.E immunity tool" with the subject line "Worm Klez.E Immunity."

W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes. This page also includes a link to the removal tool.

W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE)* file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked preventing this functionality.

W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several anti-virus products.

W32.NimdaA@mm - (Removal Tool) a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares. Please read the announcement on Symantec Security Response and and execute the patch on any Microsoft IIS web servers.

Code Red II - CERT Alert Exploits Buffer Overflow in IIS Index. (Steps for recovering UNIX or NT compromises.)
WARNING: CODE RED NT VIRUS for Web-Servers running IIS!

Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are using Windows 95, Windows 98, or Windows ME, there is no action that you need to take in response to this alert. To read Microsoft's description of the patch and its installation, and the vulnerability it addresses click here.

To download Patches Directly:

Because of the importance of this threat, this alert is being made jointly by:

  • Microsoft
  • The National Infrastructure Protection Center
  • Federal Computer Incident Response Center (FedCIRC)
  • Information Technology Association of America (ITAA)
  • CERT Coordination Center
  • SANS Institute
  • Internet Security Systems
  • Internet Security Alliance

Email Virus Alerts
EMAIL VIRUS is still active! All Windows users please use the "Fix" Tool!

Networked computers can spread the virus even if they are not running email via Outlook. All users should install virus protection software and update that software with the latest virus definitions.

If you are using a machine running Windows, you may be infected click here to connect to the Symantec web site with the "fix" tool. AGAIN- ANY WINDOWS MACHINES CONNECTED ON THE SAME NETWORK CAN SPREAD THE VIRUS.

Please install virus protection software on all networked computers. Do not open any email attachments from users, even if you know them, unless your computer is protected with the latest virus definitions. (Macintosh users and web mail users, please delete these files. Do not forward them to anyone.

HaHaHa Snow White Virus - (W95.Hybris.gen)
W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages.

The email message or subject may include, but is not limited to:

  • hahaha@sexyfun.net
  • Snow White and the Seven dwarves

For more information Click Here

Other Virus Information Systems:

McAfee Virus Information Library - McAfee Avert Virus Information Library has detailed information on where viruses come from, how they infect your system, and how to remove them.

Symantec Security Updates - Get the latest information on virus warnings, how to remove them, and updates to your software.
Home | Discover LAUSD | Employment | Offices | Resources | Schools | Contact Us | Assistance | Intranet
Los Angeles Unified School District
213-241-1000
333 South Beaudry Ave.
Los Angeles, California 90017
 © 2003 LAUSD
Terms/Conditions - Privacy Policy - AUP - Tech Plan