coe-staff: Fwd: uosecurity: Security Advisory - Malware E-mail with Subject: "Annual Form - Authorization to Use Privately Owned Vehicle on State Business"

Terry Kneen tkneen at uoregon.edu
Tue Oct 8 10:33:02 PDT 2013 

There is an email that is making the rounds of the UO today (see below for details). If you see this message do NOT open the attachment, just delete the message.

Terry

---------------------
Terry Kneen
Instructional Systems Coordinator
College of Education
1215 University of Oregon
Eugene, Or 97403-1215

Note: I have retired and am working part time, work requests should be sent to:
coe-support at ithelp.uoregon.edu<mailto:coe-support at ithelp.uoregon.edu>



Begin forwarded message:

From: miyake <miyake at network-services.uoregon.edu<mailto:miyake at network-services.uoregon.edu>>
Subject: uosecurity: Security Advisory - Malware E-mail with Subject: "Annual Form - Authorization to Use Privately Owned Vehicle on State Business"
Date: October 8, 2013 10:13:11 AM PDT
To: <uosecurity at lists.uoregon.edu<mailto:uosecurity at lists.uoregon.edu>>, Departmental Computing List <deptcomp at lists.uoregon.edu<mailto:deptcomp at lists.uoregon.edu>>, UO Security Group <security at uoregon.edu<mailto:security at uoregon.edu>>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A relatively well crafted e-mail, with malware attachment, was sent
around to UO accounts this morning.  The e-mail originated from
off-campus and has the following characteristics.

* Subject: Annual Form - Authorization to Use Privately Owned Vehicle
on State Business

* Malware attachment: "Form_uoregon.edu.zip"

* Forged "uoregon.edu<http://uoregon.edu>" sender address

    Example:

"Tad Herman" <Tad at uoregon.edu<mailto:Tad at uoregon.edu>>
"Sherry Bain" Sherry at uoregon.edu<mailto:Sherry at uoregon.edu>

- --------------------------------------------------------------------------
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on
State Business

E-mail Body:

All employees need to have on file this form STD 261 (attached).  The
original is retained by supervisor and copy goes to Accounting.
Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed
annually by employee and supervisor.

Please confirm all employees that may travel using their private car
on state business (including training) has a current STD 261 on file.
Not having a current copy of this form on file in Accounting may
delay a travel reimbursement claim.
- --------------------------------------------------------------------------


The e-mail is not valid and can be safely deleted.  If you determine
that one of your end-users may have run the attachment, please remove
the computer from the network and send an e-mail to
incidents at ithelp.uoregon.edu<mailto:incidents at ithelp.uoregon.edu> with the following information.

* Affected end-user
* IP address / MAC address for the affected system

At this time McAfee VSE 8.8 with DAT 7222 does not successfully detect
this zip file or the uncompressed executable as being malware.

Based on submitted samples, the e-mail(s) were sourced via the
following IP addresses:

120.151.3.173 : 1221 | 120.144.0.0/13 | AU | apnic | 2008-04-09 |
2000-01-31 | ASN-TELSTRA Telstra Pty Ltd | nouver.lnk.telstra.net<http://nouver.lnk.telstra.net>
190.33.152.138 : 11556 | 190.33.0.0/16 | PA | lacnic | 2006-08-15|
190.33.152.138

Additional detection information from VirusTotal regarding the
malicious attachment:

https://www.virustotal.com/en/file/2c3c1cbe50fdeecf665faf00cadff094c08f49000c96b57983546c1db197038c/analysis/1381248544/

- --
Sincerely,
Jon K. Miyake

Information Services    Sr. IT Policy and Security Administrator
University of Oregon    voice #:       (541) 346-1635
                                      (541) 346-5837
                             Computing Center Rm 225
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQCVAwUBUlQ9JsV+r+BcytBFAQLPIQP9Fj7i5usGnOdDoMKRiYyoOHWCrrur0Y3o
PLljFb7bgFAZ5AysH6bECXFS8KdcQKOQI335kYR7wbXnRHHolBPQg8H3DEJi8WZu
FCxqpPG6luYihfq6Evl78iVNbCiAC6g2JKBcNG4GgdcDGRWWix1WdJ6hWGvd4QaE
ygbRZ0gLGEQ=
=Ecc6
-----END PGP SIGNATURE-----
_______________________________________________
uosecurity mailing list
uosecurity at lists.uoregon.edu
https://lists-prod.uoregon.edu/mailman/listinfo/uosecurity

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists-prod.uoregon.edu/mailman/private/coe-staff/attachments/20131008/c69472a7/attachment.html>

More information about the coe-staff mailing list