From: "Diana Boothe" <>
Subject: [AR-OLD-NEWS] From List Mom
Date: Sun, 25 Nov 2001 23:37:51 -0600
Hi everyone,
This is to let you know that you need to be on the lookout for viruses.
The BadTrans is going around again (still??) and, earlier, I had to remove 2
subscribers because they were infected.
I do not want this to now become the topic of discussion. If you want, you
can e-mail me privately on this. I have, as of this evening received 4
infected e-mails, from 3 different people, so it is VERY important that we
do discuss this now. But please remember if you want to discuss it further,
contact me off-list.
The following is from the Symantec.com (NORTON ANTI-VIRUS) website, found
here.......
http://securityresponse.symantec.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.ht','w32.badtrans.b');
ml
W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 24, 2001 at 12:19:48 PM PST
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several
different file names. This worm also drops a backdoor trojan that logs
keystrokes.
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the
following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the
"\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel3
2=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the
names listed above. Any email that has such an attachment should be deleted.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.
DO NOT OPEN ANY ATTACHMENTS FROM ANYONE YOU DON'T KNOW! I would recommend
for everyone, if they don't already, to get some type of anti-virus
protection for your computer. There are really good ones out there, and some
are even free, so please, protect yourselves!
BadTrans is sneaky, it will appear as a response to an e-mail you sent,
since it replys to unanswered mail. Remember, you will NEVER receive an
attachment from RootsWeb............they come from the individuals computer
that has become infected. Most of the time, they are not even aware that
they have it. And also remember that there are SEVERAL different versions of
BadTrans, this is only one.
PLEASE watch out for yourselves. If anyone needs help finding anti-virus
software, or if you have any questions, please contact me OFF list.
Diana
List mom for the ACHOR, ACHORD, AR-CIVIL-WAR, AR-OLD-NEWSPAPERS,
AR-RAILROADS, AR-SAWMILLS, ARKANSAS SURNAMES, ARKANSAS, BLACKSMITHING,
CANCER-SUPPORT, COUNTRY-MUSIC, ESSEX, FLINT-KNAPPING, KID-CRAFTS, LAKEY,
OBER, OUTLAWS OF THE OLD WEST, PEOPLES, SHATSWELL, STODGHILL, TELEVISION,
VILLINES, VIOLIN-MAKERS, WOODWORKERS and WORZ mailing lists.