Malware

What is computer malware?

A computer virus or malware are a commonly used terms to describe all types of malicious software including Trojans, worms, adware, and spyware. Each have slightly different functions, but usually either try and damage the software on your computer, or send information about your computer usage to an outside source over the internet. The details of each type are explained below:

Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Adware is usually seen by the developer as a way to recover development costs, and in some cases it may allow the software to be provided to the user free of charge or at a reduced price. As a result, the advertisements may be seen by the user as interruptions, annoyances or as distractions from the task at hand.

CryptoLocker is malicious software that encrypts your data files with a unique key that only the malicious people/hackers have access to. The nefarious individuals then hold your data for ransom and try to extort money from you. Your data files are encrypted Encryption can not be broken at this point in time without the key. When your data is encrypted and the key is lost, the data is essentially lost forever.

The Flashback virus targets a security hole in the Java software installed on your Mac computer. Java is included with OSX, the operating system on your Mac. The virus is designed to steal personal information in the background without the user noticing, so once your computer is infected, you may not see any difference in the way it runs.

Spyware is computer software that is unknowingly installed on a personal computer to collect information about a user, their computer or browsing habits without the user's informed consent. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs.

A Trojan, as the name suggests, pretends to be something good, like virus scanning software or other useful applications. In reality they run malicious programs in the background that can perform any number of functions, like allowing an outside user to copy your files, see your browsing history, or even take remote control of your computer.

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other computers on the network, and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a targeted computer.

How can my computer become infected?

Unfortunately, there are many ways your computer can become infected. Some of the main causes to an infected computer included: illegally downloading music and movies, clicking on ads, browsing to compromised websites, and in general not being cautious when it comes to web browsing. Be sure to follow the safe browsing habits and remember, it's always better to be safe then to be sorry.

What are the symptoms of a virus?

  • Speed decrease
  • Unexplained freezing/crashing
  • Programs that won’t launch
  • New programs won’t install
  • Computer has trouble booting windows
  • Internet access is blocked
  • Screen saver and other visual settings are changed unexpectedly
  • Unable to open files or folders
  • Files or folders are deleted unexpectedly
  • False pop-ups that appear warning you about viruses
  • Unable to print documents
  • Your hard disk runs out of free space rapidly

How can I protect myself?

  • For a personally owned computer, use an antivirus located here.
  • If your computer is university owned, please talk to your computer support group for assistance.
  • Have an anti-malware program such as Malwarebytes or SUPERAntiSpyware.
  • Keep your computer's operating system up to date.
  • NEVER use file sharing programs to download games, music, movies, TV shows, etc.
  • NEVER click advertisements on the Internet.
  • NEVER respond to SPAM.
  • READ all warnings very carefully.
  • EDUCATE yourself, your friends and family.

(Malware) Detection at OSU

Oregon State University utilizes a device on our network called FireEye. This device monitors the network for patterns of activity a computer displays when it is infected with malware, or has been compromised by hackers.

When the FireEye device detects signs of malicious activity, it sends an alert to the OSU Computer Helpdesk, who, in turn, sends a notification to the registered owner of the computer. The user is then responsible for contacting the Helpdesk to resolve the issue. This document outlines that notification process.

Please Note: While every attempt will be made to resolve the situation through this process, there may be instances where the availability, confidentiality, or integrity of the OSU network or the data residing therein is placed at risk by the activity discovered on the device. In such cases, network access for that system will be blocked prior to notification.

Notification Process

OSU notifies users when a malware infection is detected on their computer. Users must come in for help, or inform the Helpdesk that the infection has been removed.

Notifications include technical details on the infection and give users information on how to clean their own computers. Please note that the notifications will be from security@oregonstate.edu and will be followed with an email from osucomputerhelpdesk@oregonstate.edu detailing options you have to clean your computer.

Network access disabled notification:

If the user does not come in for help or notify the OSU Computer Helpdesk and they continue to receive notifications from security@oregonstate.edu then the user’s network access will be disabled and a notification of the access restriction will be sent.

A user is not typically disabled until after three notifications have been sent, but there are circumstances that will extend the amount of notifications before loss of network access, such as a long period of time between malware notifications from FireEye.

Example Malware Notifications

Below are examples of the notification e-mails sent to users, which can be used as reference to ensure these are not fake emails or phishing attempts.

Example from Security:

Hello [Customer Name],


OSU's network security group has detected malware activity originating from your machine.
This is most likely due to a malware or virus infection on your machine.  Please check you
machine for viruses and malware and remove any infections.  If infections are not removed
and further malware related activity is found on your machine, you risk your network
access being disabled until the infection is removed.

Details about the potential infection are listed below:


Details
Malware last detected: [Date] [Time]
IP: [Customer’s leased IP at time of detection]
Hostname: [Customer’s hostname on network]
MAC Address?: [Customer’s Hardware address]
ONID Username: [Customer username]
Zone: [Zone customer’s computer was assigned to]
Malware: [Type of infection detected]
Attacker's Info: [IP address? and port infection is communicating through]

For more details on this infection, visit
https://mil.fireeye.com/edp.php?sname=Trojan.Koredos


For help removing this infection on your own, see
http://oregonstate.edu/helpdocs/protect-your-computer

If you would like assistance removing the infection please contact the OSU Computer
Helpdesk -
Phone: 541-737-3474
(Web: http://oregonstate.edu/is/tss/och/)

Note: This report is for your information and a copy is provided to the OSU Computer
Helpdesk. (If you are reasonably sure that this report is a false positive, no action or
response is required).

Example from the OSU Computer Helpdesk:

OSU’s Network Security group (security@oregonstate.edu) sent you an e-mail recently informing you about a possible malware infection on your computer. The OSU Computer Helpdesk wanted to check in with you and see if you have been able to remove the infection.

Because network security is a priority for personal and network safety, careful procedures are in place to quarantine potential infections. If no response is received from you after multiple notifications, the Helpdesk will disable your network access. Multiple warnings will be provided before access is disabled and it is easy to restore your network access by contacting the Helpdesk to inform them you have cleaned the infection yourself, or for help removing the infection.

Please be aware that if you clean the infection yourself, you must inform the Helpdesk that the infection is resolved. If  you don't respond to this email and your computer is still reporting as being infected, the Helpdesk will disable your network access after three notifications.

Clean it yourself -

You can also find out more information on how to remove infections here: http://oregonstate.edu/helpdocs/protect-your-computer


If you clean your computer, please respond to this email that you have cleaned your computer. If you receive another notice after reporting that you have cleaned the computer your network access will be disabled and you will be notified.

Students with laptops - 

If you still need assistance, please come to our Walk Up Helpdesk, located on the main floor of the Valley Library. It is open 8AM-9PM Monday through Thursday, 8AM-7PM Friday, and 3PM-7PM Sunday. You can also give us a call at 541-737-3474.


Students with desktop computers living in the dorms -

Call the OSU Computer Helpdesk at 541-737-3474 for guidance and further assistance.


If you do not have an anti-virus program on your computer -


You can get Symantec Endpoint Protection for free with your ONID account. If you already have an antivirus program, please use Malwarebytes to double check that you do not have viruses on your system.

How to use Malwarebytes - Malwarebytes download page

How to install/obtain Symantec endpoint protection - video tutorial of how to install Symantec Endpoint Protection

You can go to http://oregonstate.edu/helpdocs/security/viruses for more information on viruses.


Please let us know if you have any questions or concerns.

If you are forwarding your email to another account, please make sure to check your spam folder for the messages we are contacting you about.

Fake AntiVirus Warnings - "ScareWare"

Examples of Fake Warnings

Here are two screenshots of fake warnings. Click an image to view at full size.

If you see a popup like one shown here, your computer may already be infected. Shut it down and take it to the IS Service Desk or your IT support staff to resolve the issue.

fake security warning

fake antivirus example

About Fake AntiVirus Warnings

Fake antivirus warnings are also known as "ScareWare". Bad guys prey upon people's fears, in order to steal their money and information. One of their favorite tricks is to tell people that their computer is (or might be) infected, and they are relying on you to respond in a manner that installs a virus on your computer.

In some cases, your computer may already be infected before you see the popup. The safest thing to is shut it down and take it to the IS Service Desk or your IT support staff to resolve the issue.

But you can protect yourself before you're affected.

Protect Yourself Before You're Affected

There are three big ways to protect yourself before you're affected.

  1. Download free antivirus software, and keep it up to date (free for home use, too).
  2. Enable your web browser's phishing protection settings, usually found under "Tools" or "Preferences" or "Settings." Call the IS Service Desk at 541-737-8787 if you're not sure how to do this.
  3. Get to know the look of pop up messages from your current AV software. If you know what you are looking for, you are much harder to fool. Take note of the name and icon of your anti-virus software and click on pop ups that only come from that program.

There are a few additional steps you can take.

  • Read "How to recognize a Fake Virus Alert Message."
  • NEVER use file sharing programs to download games, music, movies, TV shows, etc. A large majority of the files shared on this network are infected.
  • NEVER click advertisements on the Internet.

What If I Do See A Warning?

A few things to check for if you are unsure about the message are:

  1. Close and quit the web browser (Chrome, Internet Explorer, Firefox, Safari, etc.) immediately. Do NOT click on OK or cancel. Even a button that says "close" can be deceiving.
  2. Does closing your internet browser make the virus alert go away? Often the pop up window is really embedded on an internet page so if you close your browser it will go away. Alerts like this should always be avoided.

If you think you may have accidentally clicked on a fake antivirus warning, shut down your computer. Students and employees can bring personal laptops to the Service Desk Walkup for malware scans; for university-owned devices, contact your department IT support staff.

What Happens If My Computer Gets Infected?

The viruses that get installed can:

  • Trick you into entering your credit card information or passwords or personal information.
  • Steal your bank account information and empty out your account.
  • Send spam messages from your email address.
  • Corrupt or destroy your documents.
  • Allow other, stronger infections into your computer.
  • Crash your computer or slow it to a crawl.
  • Infect other computers both on the Internet and on a local network.

Who to Contact

OSU-owned computer - Please contact your IT support staff.

Campus Labs computer - Contact the IS Service Desk.

Personal device - Contact the IS Service Desk.

Self help options for personal computers

  • Download Malwarebytes. Disconnect from the Internet to run a full scan of Malwarebytes.
  • Run a full scan with the anti-virus program (Sophos, Windows Defender/Security Essentials, Symantec Endpoint protection, McAffee, AVG, Avast) installed on your computer.
    • The full scan can take several hours to complete properly.