[ I apologize in advance for the length of this post.. Given the explosion of the BADTRANS virus, i believe it's necessary. ] I have no idea which <total> message this one <from Ron > was a reply to*; but since it contains several errors, that can mislead people, i think it's important to rectify the information that was provided < and likewise i mean no offense! >. a) Whether U see the incoming message as a message with an attachment or not depends on the software *U* are using...., not on what software the message was sent with. Thus for instance users of programs like COMMUNICATOR <Eudora; Eudora Lite or Eudora Pro?> will/may see a large "empty" message because of the way it deals with the incoming attachments. But the message will be abt 40K in size!!! b) BADTRANS gets "shipped out" as an attachment! c) Gary is 100% correct, when he says that attachments can not go thru this list... ROOTSWEB.COM simply does not allow attachments. PERIOD. ** That said: d) Messages do tend to arrive from fellow subscribers who are infected, especially IF U have had previous contact with them... IF U have posted a message to the list server, then likely your e-ddress will have been picked up by those recipients whose e-ddress-book automatically updates the "contacts list"...; others , who have answered a message will also have yer e-ddress.... AND THAT'S WHERE the fun starts, if and when that person's computer is infected. e) BADTRANS has added a new twist.. it will also "answer" unread messages... AND it will extract e-ddresses from cached information on a user's computer. CONCLUSION: it's useless to "blame the list server"; it's best to notify the originator of the message that his or her system is infected; and if U can offer ( technical ) help. ADVISE: BE absolutely sure to slam the door on this virus class*** by installing the required security patches from Microsoft, that have been available since last April, if U insist on using an older version of their browser. The weakness existed in Internet Explorer 5.01 and 5.5 ; i believe that 6.0 is OK! In addition to the above, i like to add the following caution: EVEN if U are "up-to-date" on your AV ( anti-virus ) software, there is no guarantee that U will detect the incoming virus on a scan!!! I have - with the recent influx of BADTRANS.b - discovered that [my up-to-date] McAfee## AV , as well as one other AV package FAILED TO DETECT same!!! < see footnotes ## & ### > *I* had already detected the suspicious nature of these messages < without any software; simply by observation > but it took several attempts at analysis and multiple scans with different products and under different conditions to confirm the presence of the BADTRANS virus in the many incoming messages. I can and will provide details to interested persons. Finally WITH or WITHOUT AV software: DO NOT OPEN ATTACHMENTS that are unknown to U! Ask the sender what U are supposed to have received! Hope this helps, ;j. Jay W. Meeuwig * i didn't receive Gary's original message ** I am also a list administrator at rootsweb.com. *** That only solves the automatic invokation of the virusinfection via the preview plain... < "execution" of unknown attachments IS and WILL REMAIN a lethal business! > NOTE: Technical description: When the worm is executed, it drops the backdoor Trojan Hkk32.exe into the \Windows folder and executes it. It then copies itself into the \Windows folder as inetd.exe, adds a run= line to the Win.ini file, and displays the following message: Install Error < etc. etc. ; see *> The next time that the computer is restarted, the worm waits for five minutes and then uses MAPI to find all unread email messages and reply to all of them. The worm attaches itself to the message using one of the following file names: < a list follows ; see # > # securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.13312@mm.html ## SADLY McAfee hides behind: "...... We have received many reports from the home users that they have become infected. It is believed that failure to update recently has caused this increase in occurrence. " See ### http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607 ----- Original Message ----- From: "Ron Davies" <welt7@shaw.ca> To: <ALBERTA-L@rootsweb.com> Sent: Tuesday, November 27, 2001 6:15 PM Subject: [ALBERTA] F-Secure Virus Descriptions- Badtrans etc. NO Attach. > Hi Gary et al > > These forums aren't really the place to talk viruses but I must differ with > Gary Boivin. The Badtrans virus comes embedded into an email sent > only via Outlook or Outlook Express. It does NOT have to be in an > attachment. Gary, I mean no offense and you are correct that the > worm is in somebody else's computer. > > Just this minute Badtrans was in my inbound mail and Norton intercepted > and disposed of it. If you want to know more go to Norton or McAfee or read > yesterday morning's Globe and Mail. > > If you think you have it on board, do clean your system as Badtrans > places a file on your system such that it can/may send data back to > its origin including credit card numbers if you shop on line. > > By the way, this is not the only `worm' that can arrive embedded within > a message. Oh yes, my mail just now included NO ATTACHMENTS > and I used only Eudora Pro. > > You all can read about this worm at: > > http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.13312@m m.html > > It this line appears broken be sure to enter all or simply go to Symantec > and enter Badtrans into the search, select viruses and hit Enter. Ensure > your Win.ini file's run= statement is blank. For assurance, also do a full > scan of all files and replace any that are suspect. > > Ron Davies > Surrey, BC > > At 02:27 PM 11/27/01 -0700, Gary Boivin wrote: > >Attachments cannot come through the list... > >Hence... You cannot get a virus through the list... > > ______________________________