Network Services provides network security and connectivity to the CSULB campus. This website is a collective of information from the Network Services group that discusses and suggests solutions to new and existing computing/networking issues.

Frequently Asked Questions of the Month

  • What is the best way to remove a virus? Read an e-mail from Eli Shubin, LAN Security Specialist, Network Services.

    I thought of something that is always the first reminder I try to give someone that calls me to say that Symantec AntiVirus has detected a virus on their PC, and ask what they should do next. This is important because alot of people don't follow these little steps and they end up getting frustrated because they get alerted over and over again that Symantec detected the virus.
    Read more
  • What type of spyware is hitting the campus? Read an e-mail from Eli Shubin, Network Services.

    Looking back on the virus alert logs for March, a good number of client computers were hit with the Adware.CDT threat.
    Read More

Campus Response to Sober.O Mass Mailing Worm

On Tuesday, May 2, 2005 , the CSULB network started receiving hits from the new Sober variant. Complete information about this variant can be found at:

securityresponse.symantec.com

The response by our various servers and network devices was immediate and dramatically slowed the spread of this virus. This was the first "Level 3" virus outbreak in quite a while.

One of the variants was sending email attachments that were compressed zip files which contained executable .pif files. These kinds of files were immediately picked up by our campus Intrusion Prevention System (IPS) and blocked entirely. It is currently the campus policy to deny files matching this criterion, unless someone specifically requests a legitimate use for them. The following is a graph of the number of hits per day that were blocked in this way:

So, we stopped a lot of hits on day zero! But, the IPS couldn't stop them all. Our IPS policy only covers zip files which contain files with the following extensions: pif, scr, cmd, and com. But, as noted by Symantec:

Note: The attachment will be a zip file containing a copy of the worm. The file name within the zip file will be Winzipped-Text_Data.txt[many spaces].pif or Winzipped-Text_Data.txt[many spaces].exe.

The worm could come in with an exe inside the zip. This is not covered by the IPS for obvious reasons. When the IPS stops one, the mail server's connection is closed, and the file is never fully transferred. But these files actually make it further in, and must be scanned for their specific signatures by true AntiVirus software.

From the campus email gateway, we logged about 7,000 emails that were quarantined since May 1, 2005 that matched the signature.

Thanks to these various levels of security, this Level 3 worm outbreak only managed to get on to 8 of the 2,497 computers receiving updates through SAVCE, and 100% of those were able to effectively quarantine the worm! And at least 2 of these were dial-up connections that may have been infected from off-campus email accounts such as Hotmail and Gmail.

May Archive

© California State University, Long Beach Feedback