HOFMANN-L Archives

Archiver > HOFMANN > 2001-11 > 1006822777

From: "Michael G. McManness" <>
Subject: [Hofmann] [admin] Important Virus Warning Information!
Date: Mon, 26 Nov 2001 18:59:37 -0600

Hi Everyone,

This virus has a very high penetration rate and is successful in the
payload. The virus is undetectable in some instances because it is embedded
in HTML. It appears there's a new strain of the Bad Trans virus running
rampant through the maillist subscribers. This one is the
<W32.Badtrans.B@mm>. For benefit of you newbies, the BadTrans is a nasty
little worm that gets into your computer and mails out messages without your
knowledge. This new version of the worm also drops a backdoor trojan that
logs keystrokes. Those messages contain an attachment with the virus.

A quick lesson here for those of you who don't know ...

1. You should ALWAYS be extremely cautious when it comes to opening
attachments. If you receive one that you didn't expect, before
opening it write back to the sender to see if s/he mailed something to
you and find out what it is.

2. You will NEVER receive a virus through a RootsWeb maillist, but if
get infected, their computer may send you the virus, which *may* have a
list subject line.

3. This new strain of BadTrans is going to make life difficult for a
LOT of people. Note the differences:

The first wave of BadTrans virus messages always had a standard "Take a
look to the attachment." at the end of the message but above the
attachment. Also, those messages had double extensions (for example:
filename.exe.pif OR filename.doc.scr OR filename.txt.exe OR any other
combination of extensions), know immediately that your message is
holding a virus. Do not open the attachment, but delete it immediately.

According to people who have already received infected messages this newer
strain of BadTrans virus is even nastier than the first because it is
undetectable in some instances because it is embedded in HTML, the
attachment may not show or there is a false (second) extension. It appears
to have filename.doc or filename.txt BUT THE REAL EXTENSION (.scr or .exe)
IS 59 SPACES TO THE RIGHT. Also, the message size will be around 29 or 30k
even if no words shows up. Many of the messages are blank. One other clue,
the email addresses of the sending computers is altered by having an
character preceeding the address <>.

You are strongly encouraged to keep your virus protects updated on a
daily basis ~ or at least every other day.

If you receive an infected message please do two things:

1. Advise the family of the fact you've received an infected message and
from whom.

2. Send me the name and email address of the person with the infected
computer as well as the list name

If YOU have the infected computer I will unsubscribe you from the maillist
until you've cleaned your machine and let me know about it. This is for
protection of the other subscribers computers. You can read about this
virus and
how to remove it from your system on the Norton Symantec site ...
http://www.symantec.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.html','w32.badtrans.b');

If you have any questions or comments you're welcome to email me

I hope this information helps. If you have problems or further questions
please let me know. :-) Thanks, Mike


Michael G. McManness, a Jayhawk through and through, eating, sleeping,
breathing, and bleeding Crimson and Blue near the University of Kansas.
Family genealogist and research historian. "Character may be manifested in
the great moments, but it is made in the small ones." --- Phillip Brooks


This thread: