ARNEWTON-L ArchivesArchiver > ARNEWTON > 2001-04 > 0987596629
Subject: [ARNEWTON] Listowner please read
Date: Wed, 18 Apr 2001 08:23:49 EDT
There has been a virus going around and some on the lists are being affected.
A virus will NOT go thru RootsWeb. RootsWeb does not allow attachments to go
thru the lists. BUT if someone has you in their address book from the list
you will be sent the virus and it will appear it came from RootsWeb. At this
time the only list I have that is having problems is AFHA (which has 1000
members) but I want my other lists to be aware and if they get this
attachment they know how to take care of the problem. This information came
to me and I am forwarding it on to you in case you need it. Remember DO NOT
download an attachment unless you do a virus check..even if you know the
person. I am sorry to say at this time I am no longer taking attachments of
pictures for the websites until this thing calms down.
Good luck in your search!
(the following is the virus information)
Symantec AntiVirus Research Center (SARC)
Discovered on: April 11, 2001
Last Updated on: April 16, 2001 at 09:32:39 AM PDT
W32.Badtrans.13312@mm is a MAPI worm that replies to all unread mails in
your email message folders, and drops a backdoor Trojan.
Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans,
Infection Length: 13312
Virus Definitions: April 11, 2001
Large scale e-mailing: It replies to all unread messages in the message
folders within the default MAPI email program.
Compromises security settings: It drops a backdoor Trojan.
When the worm is executed, it drops the backdoor Trojan Hkk32.exe in the
\Windows folder, and then executes it. It then copies itself into the
Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays
the following message:
(An error box pops up and it say's .... INSTALL ERROR probable due to bad
The next time that the computer is rebooted, the worm will wait for 5
minutes, then it will use MAPI to find all unread email messages and reply
to all of them. The worm will attach itself to the email, using one of the
following file names:
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus
2. Start Norton AntiVirus (NAV), and then run a full system scan, making
sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.13312@mm.
4. Click Start, and click Run.
5. Type sysedit and then click OK.
6. Click the title bar of the Win.ini file.
7. In the [windows] section, locate the run= line. It will look similar to
8. Remove the text to the right of the = sign, so that the line now reads:
9. Save your changes and exit the System Configuration Editor.>