This is a follow-up to yesterday's email about this new dastardly virus. (I'm also sending BCC: copies to several Lists which I do not manage.) It is called "W32/BadTrans.b@MM". It is quite different from the original "W32/BadTrans@MM" virus. First, here's how it works. When a user becomes infected, the next time he/she reboots the computer, the virus goes through the user's email program and looks for unread emails in all the mailboxes. It picks some of these, makes a reply to them, and sends itself. Here's the kicker. It uses the infected persons email address as the sender, BUT it adds "_" (underscore) before the real address. The subject line will probably have nothing but "RE:" (nothing else). (In a few of the emails I have received, there WERE subject lines, so you really can't count on seeing only RE:.) The body of the email will be completely blank. There are no attachments, so there is nothing to click. The virus is embedded in the body, with cute code to hide it; the recipient never sees anything but a totally blank message. (I'm adding this after I finished the email. I just discovered a problem when searching for FROM: addresses that start with <_. There is a problem with people who have their email program set to show both their name and email address in the FROM: header. If such a person is infected, mail from him/her will show, in the header, something like the following: "John Doe" <_johndoe@wherever.com> The FROM: element in the header you see before you open the email will show only "John Doe". That's a problem. Either set up a filter to divert infected emails to a separate mailbox, or make sure your system is COMPLETELY protected before you open or preview any more emails.) In addition, the virus tries to dig through the infected person's computer and send email addresses, credit card numbers, bank account numbers, passwords, etc., back to the writer of the virus. Anyone using OUTLOOK (not Outlook Express) will infect his/her computer if he/she merely OPENS (reads) or PREVIEWS the email. The email has no attachment to click to activate it; it is activated by opening it, by the hidden HTML code in the email. Again, the virus makes use of the ms01-027 exploit, which means that the virus can execute on READING or PREVIEWING the email from within OutLook - it is not necessary to double click on any attachment, since the email contains no TEXT or ATTACHMENT. The virus is EMBEDDED in the body, but formatted NOT to appear, thus you get a completely blank message if you WERE to open it, which would mean you are already infected when you open the email, IF you haven't done all the following: 1) Installed an Anti-Virus (AV) program; 2) Kept it updated with the latest data files; 3) Have your AV program configured properly to detect email viruses; 4) Downloaded and installed the MS patches for MSIE 5.01 and 5.5. The patch to fix this exploit has been available from Microsoft since May 16, 2001 !!!!!!!!!! Where to read the Microsoft Bulletin MS01-027, dated May 16, 2001, and links for downloading the patch for MSIE 5.01 and 5.5: <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp> Where to read about the W32/BadTrans.b@MM Virus: <http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607> <http://www.messagelabs.com/viruseye/report.asp?id=86> Evidently, MSIE 6.0 is not affected, since all the patches for 5.01 and 5.5 were incorporated into it. But, to be sure, make sure you go to the Windows Update page and check to see which patches your system needs. <http://windowsupdate.microsoft.com/> I have seen emails on some of the Lists to which I subscribe, where obstinate users absolutely refuse to install an Anti-Virus (AV) program. They claim they are intelligent and experienced enough to never become infected. NOT SO !!!!! This latest atrocity is being spread by some of these "superior" users. What users without AV programs don't under- stand is that they are doing all the rest of us hundreds of million users a great disservice. I'm tired of downloading dozens of messages every day containing this virus (and others). Someone else will have to provide the information for Norton and other AV programs, but here is what I know about McAfee: You must have version 4.x or later installed; You must be using the 4.0.70 or later engine; You must be using the 4172 or later data file; You must correctly configure McAfee to catch viruses in emails and downloaded files. Furthermore, IF you are using Outlook (not Outlook Express): You MUST not open suspicious emails, or preview them; You must look at the From: header; if it has an address similar to this, <_someone@somewhere.com>, DON'T open it; all the addresses of the infected persons will be real, except they will have the _ (underscore) in from of them. If you open or preview an infected message in Outlook, it's too late! You're already infected! One further thing. If you DO use an AV program, it is imperative that you check for updates often -- at least daily, and, with these souped-up virus versions starting to come out, 2-3 times a day wouldn't hurt. I was lucky. I used the McAfee utility to check for updates and downloaded the latest data file just hours before I started receiving the first bunch of infected emails. Many were not so lucky. Addition for Eudora users: Set up a filter that looks for <_ in any header; set it to transfer all such emails to a special folder (such as Infected-Email); make sure you also select "Skip Rest" in the second Action box; then move this filter to the very top of your filters. SgtGeorge George W. Durman