From:
Subject: [ARNEWTON] Listowner please read
Date: Wed, 18 Apr 2001 08:23:49 EDT
There has been a virus going around and some on the lists are being affected.
A virus will NOT go thru RootsWeb. RootsWeb does not allow attachments to go
thru the lists. BUT if someone has you in their address book from the list
you will be sent the virus and it will appear it came from RootsWeb. At this
time the only list I have that is having problems is AFHA (which has 1000
members) but I want my other lists to be aware and if they get this
attachment they know how to take care of the problem. This information came
to me and I am forwarding it on to you in case you need it. Remember DO NOT
download an attachment unless you do a virus check..even if you know the
person. I am sorry to say at this time I am no longer taking attachments of
pictures for the websites until this thing calms down.
Good luck in your search!
Kathy
(the following is the virus information)
<<http://www.symantec.com/avcenter/venc/data/pf/ type="text/javascript">DisplayMail('mm.html','w32.badtrans.13312');
Symantec AntiVirus Research Center (SARC)
W32.Badtrans.13312@mm
Discovered on: April 11, 2001
Last Updated on: April 16, 2001 at 09:32:39 AM PDT
W32.Badtrans.13312@mm is a MAPI worm that replies to all unread mails in
your email message folders, and drops a backdoor Trojan.
Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans,
I-Worm.Badtrans, TROJ_BADTRANS.A
Category: Worm
Infection Length: 13312
Virus Definitions: April 11, 2001
Threat Assessment:
Payload:
Large scale e-mailing: It replies to all unread messages in the message
folders within the default MAPI email program.
Compromises security settings: It drops a backdoor Trojan.
Technical description:
When the worm is executed, it drops the backdoor Trojan Hkk32.exe in the
\Windows folder, and then executes it. It then copies itself into the
Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays
the following message:
(An error box pops up and it say's .... INSTALL ERROR probable due to bad
data transmission...)
The next time that the computer is rebooted, the worm will wait for 5
minutes, then it will use MAPI to find all unread email messages and reply
to all of them. The worm will attach itself to the email, using one of the
following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
Removal instructions:
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making
sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.13312@mm.
4. Click Start, and click Run.
5. Type sysedit and then click OK.
6. Click the title bar of the Win.ini file.
7. In the [windows] section, locate the run= line. It will look similar to
the following:
run=c:\windows\inetd.exe
8. Remove the text to the right of the = sign, so that the line now reads:
run=
9. Save your changes and exit the System Configuration Editor.>