Don't use Internet Explorer

Microsoft Security Advisory 2963983 (CVE-2014-1776) is a serious Vulnerability in the Internet Explorer web browser that could Allow Remote Code Execution. Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially-crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

For more information on Microsoft Security Vulnerability 2963983, please visit:
https://technet.microsoft.com/en-us/library/security/2963983.aspx

Skyward and other vendors are recommending that everyone use an alternate web browser until Microsoft releases a patch. 

Heartbleed issue: What you need to do

You may have heard news of the "Heartbleed" Internet security breach or gotten an email about it from friends. This email tells you what you need to do, which is, unfortunately, not as easy as just "change your passwords." It's organized in the ever-popular "Q&A" format.

Q: Is my school email safe?

A: Probably. We use Google Apps, and it was a Google researcher who found the flaw, and Google patched its systems very quickly. But you should change your OSD password just to be safe. 

Q: Is Infinite Campus safe?

A: OSD's IC server appears to be unaffected or fixed. Regardless, your IC password should be the same as your OSD email/network password, so you don't need to do anything specifically regarding IC.

Q: How about Skyward?

A: Skyward was never vulnerable due to the version of SSL it used, so your personal and HR information is not at risk.

Q: What do I need to do?

A: This is a two step process: 

1. Check to see if a site has been fixed. (Check the top 100 web sites here.)
2. AFTER a site has been fixed, then change your password for that site.

Q: Why not just change all my passwords right away?

A: Until a site has been patched, if you change your password, then the attacker can potentially get your new password as well. So wait until the site is patched before changing your password. More info here.

Q: What about sites that aren't in the top 100 list, like my bank?

A: You can check the status of any site with this tool from LastPass.

Q: Why is this such a big deal?

A: It potentially affects half of secure sites on the web, has been around for two years, and was only recently reported. More info here.

CryptoLocker Threat

Last week a Wisconsin school district was hit with a computer malware called “Cryptolocker”. This malware accesses files on your computer and/or server and encrypts them. The attackers demand money, and if the payment is not received, the malware will prevent the files from being accessed again.  The specific act in Wisconsin impacted over 40,000 files at the school district. 

This malware is spread through an email that appears to be a tracking notification from UPS or FedEx. This tactic will change soon, so please don't think this has anything to do specifically with shipping companies. 

Regardless of the type of message, you should ALWAYS be careful whenever you get an email containing a hyperlink, especially if it's unexpected. The best practice is to NOT click the link in the email, but to type the web address of the company (UPS, FedEx, Amazon, or whatever) into a different browser window. This reduces the threat of a hidden URL.

I don't necessarily think this one is much worse than a lot of other ones. But this serves as a good general reminder to be very careful about what you click. 

The school district network has a network security system that should help stop many threats, but your vigilance and caution are the best defense.

Here’s a link provided by the Federal Trade Commission (FTC) to more information on the malware. 

http://www.ftc.gov/news-events/press-releases/2014/02/ftc-fbi-warn-consumers-about-cryptolocker-new-breed-computer

Update: Firefox, Adobe Reader, and Java

We are continuing to work on fixing Adobe Reader and Java plugins in Firefox. Thanks to alert reader Mark L., I am posting some additional information specifically about Campus gradebooks and Java.
The new version of Firefox is disabling certain versions of Java by default because Java has some widely-reported security issues. (See my previous post for more info.) This means that when you open your Campus gradebook in Firefox, you get a screen that warns you "This plugin has security vulnerabilities."

You can override this by clicking on the link that says "Click here to activate the Java(TM) Platform SE 7 U plugin."

When you click on the link, you'll be greeted by a screen asking if you are sure you want to run this application. Click Run. Your gradebook will open shortly.

After we get the Adobe Reader issue fixed, we'll work on updating the Java plugin so that you'll no longer have to go through this process. In the meantime, please feel free to continue using your gradebook with this workaround.

Homeland security says to disable Java...but we need to post grades

The US Department of Homeland Security strongly advises that Java be disabled on all computers due to a security flaw. This is one of those situations where it's really difficult to find a balance between security and usability. The district computers need to run Java, because it is required for Infinite Campus gradebooks (as well as many other programs). At the end of the semester, entering grades is obviously a really high priority. Disabling Java until a solution is found really isn't an option, unless we were to postpone the grading window.

I would suggest that Java be disabled on any computers that don't require it. I've disabled it on my home computer for the time being, and I encourage others to do the same.

Full details of the vulnerability, and instructions for disabling Java, can be found on the CERT page, which will also post updates as available.

Wireless network Captive Portal security certificate fixed

Users trying to log in to the public wireless network this morning got an error message saying the identity of the server could not be verified. The exact error message varied depending on the browser. Chrome and Firefox give you the option to override and continue, albeit with dire warnings about how somebody could be intercepting your traffic. (This was sure to get the attention of the paranoid, tinfoil-hat-wearing crowd.) Safari is apparently a bit more ardent about protecting us from ourselves, and did not provide the option to override. The result is that iPad users on the public network were not able to authenticate.

The actual cause of the warning was that the security certificate for the captive portal (the screen that pops up asking you to log in when you use the public network) had expired over the weekend. We have created and imported a new security certificate, so now devices on the public wireless network can log in normally.

Thanks for your patience, and I apologize for the interruption and inconvenience.

Safe URL shorteners

This is an announcement from Lightspeed about two new URL shorteners that are safe, and will therefore not be blocked by the content and security system on our campus network.

In late 2009 Lightspeed Systems noted an increase in the misuse of URL shortening/redirect services (e.g. Tinyurl.com, bit.ly, cli.gs). These are services that take lengthy URLs - often with descriptive attributes embedded by web developers - and make the associated pages available through a shortened web address.
Unfortunately, these services create a couple of problems for school networks. First, they make it possible for users to access proxy servers and circumvent the filter and your policies. Second, these links are used by spammers to hide the true destinations of links in their messages. As a result, Lightspeed Systems changed the category for these sites to the normally blocked Security.proxy category.
Of course, we recognize that there are several reasons that URL shortening can be useful, so we are providing an alternative that schools can use safely: lsurl.me and mbcurl.me. To remain CIPA compliant, we check all submitted URLs against our database and will not shorten URLs that are in our porn or security categories.
Also our shortener works as a re-director, not a proxy, so all shortened URLs are redirected to the requested site and will fall prey to any applicable content filtering policies.
Review "URL Shortener Redirects" on the Lightspeed Wiki to ensure lsurl.me and mbcurl.me are in an allowed category - and that all other URL shortening websites are in a custom-blocked category that redirects access attempts to either lsurl.me or mbcurl.me.

Why we use network-based security devices

This article is a good example of why we use a network-based security scanner.
http://www.theregister.co.uk/2011/02/15/bbc_driveby_download/

Basically, users who simply visit a legitimate website (BBC) could be infected by malware, even if their computers have anti-virus installed. Only nine of the top forty-three anti-virus programs found the malware.  This is why we use not only desktop anti-virus, but also a network security scanner. The network security device is updated continuously, so when such vulnerabilities are detected, they can be blocked, even if they are on a legitimate website.

We are also piloting the use of a "Secure Web Gateway" network appliance to scan all traffic in real time, which would provide another layer of protection.

Security reminder- lock your computer while unattended

This is just a friendly reminder that when you leave your computer, even for just a second, you should lock your computer. Having the longest, most complex password in the world doesn't stop anybody if you leave your computer unlocked. It takes only seconds for somebody else to access data on your computer. In the past, we've had incidents including students changing grades, reading email, and even sending email from a teacher's account.

There are two easy ways to lock your computer. The quickest, easiest way is to press the Windows key and L on your keyboard. This will immediately lock your screen, requiring you to press Ctrl-Alt-Del and then enter your password to resume.

Alternatively, you could press Ctrl-Alt-Del and then click "Lock the Computer"

Please try to get in the habit of just pressing Windows-L as you leave your seat. This is a best practice that will greatly minimize the risk of unauthorized data access.

Skyward phishing scam

We just received this from Skyward. Please be aware.

It has come to our attention through one of our customers that there is a phishing scam that appears to be coming from Skyward.  Skyward would not send you a link and ask that you log into it.  The email address this came from is skywardhelp@cyberservices.com [mailto:skywardhelp@cyberservices.com]. This is not a valid email address for Skyward.  Please instruct your users to ignore any type of request like this.

We appreciate your prompt attention to this matter.  If you have any questions, please contact Skyward Customer Service.

Thank You - Skyward Support Staff
SN #1474

Do you have your new password ready?

Do you have your fifteen character password ready?

This is a reminder that starting July 15, all staff must have a long password. New passwords must be at least fifteen characters long and contain at least one number and symbol.

The good news? Your password will not expire, so you won't ever have to change it unless it gets cracked.

If you are wondering why, or need help creating a password that long that you can also remember, please read "How to choose a good password" on our documentation site.

On July 15, we will switch our servers from Novell to Microsoft. This means your current Novell password will no longer work, and you will have to start using a new one. Because we cannot see or export your current passwords, we will assign you a new one that you must start using on July 15.

Before the end of school, you will receive a piece of paper which will contain your new password. On July 15, you will need to start using this new password. You may want to change it to something you can remember more easily, but you must use the password issued to you at least once to log in and change your password.

If you have questions, please feel free to contact me or read the detailed explanation at http://sites.google.com/a/oregonsd.net/technology-integration-tool/Home/passwords (staff login required).

Proposed new password policies for next year

New password policies for next year
I am proposing two big changes to the district's password policy. The two big changes are: 1) Passwords will never automatically expire; and 2) Passwords will have to be fifteen characters long and have some complexity. These go hand-in-hand. If the passwords are long and complex, they probably won't be cracked, so they won't ever need to be changed.

Why will they never expire?
Research on IT best practices shows that the more frequently passwords are changed, the simpler they become. We also know that changing a password regularly doesn't necessarily stop bad things from happening- it simply blocks out an intruder who happens to get your password. Also, we know it's annoying when passwords expire.

Why will they have to be fifteen characters long?
Again, IT best practices show that long, complex passwords are more secure. There are many reasons for this, but there are two I'm focusing on.

First, there is a very easy password cracking tool that students use (yes, even Oregon students have used this) which can crack any Windows password with a length of fourteen characters or less. Adding the fifteenth character might not seem like much, but the exponential increase in complexity, combined with the way that Windows hashes passwords makes this a huge difference. The second reason for complex passwords is that if a student happens to see or hear a password, it should be something that's difficult to remember. For example if you write down your password (in your wallet or some other place where people won't see it) and a student catches a glimpse, they could remember "BrianJoeErica1990" more easily than "mfdwmfswam3m0ri@lu"

How can we remember all that gibberish?!?
The secret is that it's not really gibberish. The password above, "mfdwmfswaM3m0ri@lU" only looks like gibberish. In fact, it's based on a phrase that has significant personal meaning: "My first date with my future spouse was at Memorial Union." (I just made this up, it's not true, but if it were, it would be memorable. Choose your own phrase.)

See how I got the password? I took the first letter of each word, then the entire word "Memorial" but substituted a "3" for the "e", a zero for the "o", and an "@" for the "a". The resulting password has lots of complexity- it includes capital and lowercase letters, numbers, and symbols. And after a while, your fingers will just get used to typing it. Remember- you won't have to change it every month.

Related resources:

• Password: the weakest link
• Please don't change your password
• Password Policy: Change them every 25 years
• How to choose strong passwords that are easy to remember
• Create stronger passwords
• So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF)

Critical Internet Explorer security vulnerability patch

If you remember hearing about Google and other companies getting hacked by China, it was due to a security hole in Microsoft Internet Explorer. Microsoft is releasing an emergency security patch to solve this issue.

Please patch your home computers.

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on January 21, 2010.

 

New Security Bulletin

Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:

 

Bulletin ID	Bulletin Title	Maximum Severity Rating	Vulnerability Impact	Restart Requirement	Affected Software
MS10-002	Cumulative Security Update for Internet Explorer (978207)	Critical	Remote Code Execution	Requires a restart	All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2*.

* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link in the left column for more details.

 

Public Bulletin Webcast

 

Microsoft will host a webcast to address customer questions on this bulletin:

Title: Information About Microsoft's January 2010 Out-of-Band Security Bulletin Release

Date: Thursday, January 21, 2010, at 1:00 P.M. Pacific Time (U.S. & Canada).

URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627

 

Public Resources related to this alert

 

• Security Bulletin MS10-002 – Cumulative Security Update for Internet Explorer (978207):
  http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

 

• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/

 

• Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/

 

• Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/

 

• Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl/

 

New Security Bulletin Technical Details

 

In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle Web site at http://support.microsoft.com/lifecycle/.

 

Bulletin Identifier		Microsoft Security Bulletin MS10-002
Bulletin Title		Cumulative Security Update for Internet Explorer (978207)
Executive Summary		This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.   The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.   This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.
Affected Software		All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2*. * Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link below for more details.
CVE, Exploitability Index Rating		CVE-2010-0244: Uninitialized Memory Corruption Vulnerability (EI = 1) CVE-2010-0245: Uninitialized Memory Corruption Vulnerability (see note below) CVE-2010-0246: Uninitialized Memory Corruption Vulnerability (see note below) CVE-2010-0247: Uninitialized Memory Corruption Vulnerability (EI = 1) CVE-2010-0248: HTML Object Memory Corruption Vulnerability (EI = 2) CVE-2010-0249: HTML Object Memory Corruption Vulnerability (EI = 1) CVE-2009-4074: XSS Filter Script Handling Vulnerability (see note below) CVE-2010-0027: URL Validation Vulnerability (EI = 1)   Note: Please see the Exploitability Index table of the bulletin summary page for more details: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
Attack Vectors		A maliciously crafted Web page A maliciously crafted HTML e-mail
Mitigating Factors		Users would have to be persuaded to visit a malicious Web site. Exploitation only gains the same user rights as the logged on account. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted Sites zone. By default, IE on Windows 2003 and Windows 2008 runs in a restricted mode.
Restart Requirement	The update will require a restart.

Bulletins Replaced by This Update	MS09-072
Publicly Disclosed? Exploited?	CVE-2010-0249 has been publicly disclosed prior to release. CVE-2010-0249 has been exploited in the wild at release.
Full Details	http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

 

Regarding Information Consistency

 

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.

 

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

 

Thank you,

 

Microsoft CSS Security Team

 

 

Heidi Felker

Education Account Manager - US Public Sector

Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052

 

Toll Free (800) 426 - 9400 x 11310

Direct:  (425) 704-6563

Email:  heidife@microsoft.com

Security alert- new types of attacks

[This is from another university that granted permission to share as long as
I didn't say where it came from.]

Folks,

Over the past week or so, we've seen a marked increase in malicious
advertisements targeting (and exploiting) multiple vulnerabilities -
including ones in Java Runtime Environment (JRE) and Java Development
Kit (JDK)  - to silently download and install malware. We have learned
of three "advertising agencies" that appear to be operated by the same
group, that are completely bogus, and they have gotten their ads
pushed out via the largest advertisers in the business. We've seen
popular local and world news sites, popular greeting card sites,
screen saver sites, and more "displaying" these ads. The number and
size of legitimate advertising agencies that wind up referring users
to these malicious advertisements basically means that every Web site
that outsources advertising should be considered a potential infection
vector.

While malicious ads targeting Adobe Flash Player and Adobe
Reader/Acrobat have been going on for well over a year, this is the
first time I can remember seeing numerous computers becoming infected
daily due to a JRE/JDK exploit.

I was able to successfully recreate an infection simply by visiting a
very popular (legitimate) greeting card site this morning. I did not
get redirected to any visible fake AV site, nor did I have to interact
with anything to become infected. There no visible symptoms of an
infection for several minutes, before the fake AV software finally
reared its ugly head. And it wasn't just a Web page that popped up -
it had been silently installed.

This particular variant prevented many Windows applications from
running, including (but not limited to) Paint, cmd.exe, Control Panel,
and more. This fake AV installs itself in a manner that allows
infection of limited user accounts - admin privileges are not needed.
And the kicker... the sample that I sent to virustotal.com was
detected by one out of 41 AV vendors (Symantec wasn't the one).

We have seen signs that not all hosts infected via these advertising
campaigns get the fake Antivirus software package - however, we are
not sure what is downloaded and installed on those hosts. Assuming it
is malware, it evades all of our existing detection methods.

We've seen Java versions 1.6.x up to 1.6.0_15 become compromised, as
well as several 1.5.x versions. We've seen a host running 1.6.0_17
that did not become compromised, leading us to believe that the most
recent Java security release (1.6.0_17) fixes the vulnerability that
this group is exploiting.

Note that a (presumably) different group of miscreants has been using
bogus advertisements that redirect the browser window to fake AV Web
sites. That site will then try (hard) to convince the user to download
and install their product. That activity is not typically indicative
of an infection - and is an entirely different user experience than
the one I mentioned above. And while we saw a rash of this a few weeks
ago, it seems that almost all of the fake AV we've seen over the past
week was installed silently via drive-by exploits.

I cannot stress enough the magnitude of this situation. The popularity
of the Web sites that we've seen host these "advertisements" is
incredibly high - several of them surely get several thousand hits a
day. Thankfully not everyone who goes to these sites gets the evil ads,
but it is a game of Russian roulette that simply isn't worth playing.

We will be tracking this group as best as we can, and taking
network-wide mitigation steps where appropriate (and possible). But
this group changes their M.O. frequently, and I feel they clearly have
gotten to the point where they aren't going away without handcuffs or
pointy lead.

On a similar note, over the course of the last year or so, several AV
vendors have noticed an uptick in malware that encrypts all of certain
types of data files on the computer, and demands a ransom for the
decryption key. Many folks (including myself) think that it is just a
matter of time before that becomes a much more common payload for
these large drive-by malicious advertising campaigns.

And finally, a personal plea. Please - if you or someone you know
comes across this... don't *ever* decide to purchase the fake AV -
even though it might seem to be the easiest way out. Not only is this
financing their operation, this is giving your credit card info to
some serious (and rather bold) criminals.

How to get to blocked short-links

Q: I've been frustrated trying to use twitter here at school.  I'm getting some great resources from the people I follow, but when I click on the links, they are blocked with a "security.proxy" warning.  Is there a way to work around this?  Is this due to the abbreviated links? 

A: Yes, this is due to the shortened links. I often have the same frustration. Twitter has made services like bit.ly, tr.im, and tinyurl.com very popular. The URL shortening services are seen as proxy sites, and are a growing security risk. This is because you can't see what site you are really going to before you go there, so you can't make a smart decision about whether it's a safe site or not.

The solution:

http://longurl.org/

In the strange world of the Internet, the site above is meeting this need by expanding shortened URLs so you don't blindly follow a link that will install malware or something. So, although annoying, the solution is to resolve those shortened URLs using longurl.org and then deciding whether it's safe to go to them.

Microsoft Excel security vulnerability

I don't publish these too often, but this is a fairly significant threat, especially because it is being actively exploited.

The SANS Internet Storm Center has raised its alert level to
"yellow" in response to Microsoft Security Advisory 973472:

http://isc.sans.org/diary.html?storyid=6778

http://support.microsoft.com/kb/973472

http://www.microsoft.com/technet/security/advisory/973472.mspx

Microsoft Office Web components are allowing remote code execution
based on an ActiveX control instantiated for Excel. This
vulnerability is being actively exploited on web sites for
drive-by download infections.

No patch yet, but workarounds include:

* use a non-ActiveX browser such as Firefox
* set kill bits for two more CLSIDs (see above)

The KB article links to a tool end users can use; in active directory domains the registry changes can
be pushed via group policy.

How to give all your money to thieves

There is a phishing scam going on again this year, as in previous years, that poses as an IRS notification to steal your money and/or identity.

It looks like this:

>>> "Internal Revenue Service" 1/7/2009 11:14 AM >>>
After the last annual calculations of your fiscal activity we
have determined that you are eligible to receive a tax refund of $92.50.
Please submit the tax refund request and allow us 3-6 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid
records or applying after the deadline.

To access the form for your tax refund, please click here :

http://.ca/date/Internal/Revenue/Service/index.html

Regards,
Internal Revenue Service.

© Copyright 2009, Internal Revenue Service U.S.A.

Of course, this is a scam. You can tell because:

1. The URL of the link isn't to the IRS site;
2. The IRS knows where you live, and would just send you a check;
3. The bad grammar of the message;
4. They don't need you to fill out another form, because you (presumably) already filled out your tax forms (otherwise, how would they know you are owed a refund?);
   
5. The IRS has a warning about this kind of fraud;
6. The IRS doesn't communicate via email unless you've asked them to;
   

Don't be fooled. Use those critical thinking skills. (BTW, the URL of the link has been changed above so that it won't actually go there.)

*You may ask, "How did this spam get through our district spam filter?" Easy. It's not spam. Spam is unsolicited email trying to sell you something. This is a phishing scam, which is much harder to identify because it looks legitimate, and isn't selling anything.

Security filter login page

UPDATE: This issue has been resolved as of 2008-11-04, 9:00 AM.

===========
The normal login option on the security warning page is not available. Instead, you will see a long error message. To fix the error, we have to restart the server. However, since this is likely to affect a very small number of users, and because restarting would temporarily interrupt all Internet traffic, I've decided to wait until non-business hours to do this.

It should be back to normal functionality tomorrow (Tuesday, November 4).

Virus and spyware threat: "Statement of fees"

Some users have received an email message with a zip file attached. The subject is "statement of fees." Please do not open the file or forward to us. Just DELETE immediately. Here's a screen shot of the mail received:

 

 

Some indications that this is an attack:

• the return address is from a foreign domain (bradteal.com.au)
• wording is pretty vague and generalized, but implies some time-sensitive pressure "this will be posted today"
• you have no idea who "Cherry Sylvester" is

If you have been infected with a virus

Anyone who has been affected by the malware that is circulating via email please read on. 

 

If you have been affected on a school computer please submit a helpdesk ticket asap.

http://helpdesk.oregonsd.org/

 

If you have been affected on a home computer don't fret; we have found a program that will remove it quite efficiently. 

 

This is the link to download this program: 

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

 

To remove the malware

1 download and install the program

2 update when it asks if you want to update

3 run a full scan and delete all infected files that it finds.

 

Here is a more in-depth description of those directions if needed:

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008