For some UT students, it was not a Hallmark e-card that greeted them via e-mail but an unwanted trojan.
According to the UT Information Security Office Web site, some UT students in the past few weeks received an e-mail from postcards@hallmark.com, which said a friend had sent them a Hallmark e-card. The e-mail instructed the recipient to open an attachment called postcard.zip. When opened, the attachment creates a program called postcard.exe.
To the average user, the program looks like a corrupt file that failed to open. Jesse Poore, UT vice president for information technology, said the trojan creates a bot, which connects to a system called the “bot controller.” The bot then simply waits until the user connects to the Internet.
Poore said the UT Office of Information Technology has identified 114 students infected by the trojan, and about 26,000 messages were blocked on the central mail servers.
Students affected should disconnect their computer from the Internet and run a McAfee on-demand scan to remove the infected files. After that is done, Poore said the surest route to eliminate the trojan is wiping the hard drive and reinstalling the operating system.
“We have no way of determining what, if anything, the bot or bot controller put in place to allow the attacker continued access to the system after the trojan itself has been cleaned,” Poore said. “The only way to ensure a known good state on the system is to format and reload it.”
The version of McAfee students receive from the university only called the trojan a “potentially unwanted program” and therefore did not block it. The anti-virus software can find the trojan and clean it, but it cannot do so with the installed bot.
The only damage the trojan has caused to the university network is “loss of time and manpower,” Poore said.
“Some systems are simple and can be reloaded quickly while some require very specialized work,” Poore said. “Typical time from start to finish is about four hours. However, since there are so many systems that need to be serviced, customers often have to wait several days before their systems are ready.”
While the office has no evidence of danger with online accounts, Poore encouraged students affected to change passwords and place a fraud alert on credit accounts. He directs students to the UT ISO Web site’s instructions on how to do so at http://security.tennessee.edu/unauthorizedfaq.shtml.
To avoid future problems like this, Poore advised students to look for the “tell-tale signs” of such scams, like spelling and grammar errors. He also said the fact that the e-mail vaguely said a “friend” sent the e-card was suspicious.
“Attackers use well-known names to spread their malware,” Poore said. “They change the content just enough that a casual glance wouldn’t arouse suspicion.”
Poore offered advice on how to be aware of such scams.
“When in doubt, ask,” Poore said. “Users can either go to the company Web site, or they can contact the ISO to verify the authenticity of a message. Hallmark has a write-up on ‘spam’ e-cards available from their customer service page.”
Poore said this type of outbreak on the university network has not happened since the myDoom virus in 2004.
Chris Tepedino, junior in communications studies, said he is frustrated with UT’s choice of McAfee as its anti-virus software.
“I think for starters, it’s incredibly poor quality from McAfee,” Tepedino said. “You have to ask yourself — what is UT doing using McAfee as its main virus scanner when it cannot pick up this typical trojan horse?”