RootsWeb: MDDORCHE-L [MD-Dorchester]

MDDORCHE-L Archives

Archiver > MDDORCHE > 2001-11 > 1006724095

From: "John S. Wilkinson" <>
Subject: [MD-Dorchester]
Date: Sun, 25 Nov 2001 16:34:55 -0500

John StationeryI received a Virus from the following address. I am sending this to all the list that I am subscribed to. I believe that I stopped the worm before it sent out to the people in my address book. BUT If you receive an email from me, please ignore it. The following is the instructions for removing it with Norton Antivirus. Norton did not detect this before it infected my computer. Apparently just opening the email executed the .scr file imbedded in the email. -----Original Message----- From: Peggy Payne [mailto:] Sent: Sunday, November 25, 2001 2:11 PM To: Subject: Re: NCPamlico: Hezekiah McOtier/McCotte It contained the following Virus: Symantec Security Response http://securityresponse.symantec.com W32.Badtrans.B@mm Discovered on: November 24, 2001 Last Updated on: November 24, 2001 at 12:19:48 PM PST W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes. Type: Worm Virus Definitions: November 24, 2001 Threat Assessment: Wild: Medium Damage: Low Distribution: High Wild: * Number of infections: 50 - 999 * Number of sites: 3 - 9 * Geographical distribution: Medium * Threat containment: Easy * Removal: Easy Damage: * Payload: o Large scale e-mailing: Sends email from addresses found in the default MAPI program. o Compromises security settings: Installs keystroke logging Trojan. Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc. When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel3 2=kernel32.exe. Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above. Write-up by: Patrick Martin John S. Wilkinson Rome, NY

This thread:

[MD-Dorchester] by "John S. Wilkinson" <>