Hello List, I also received the BadTrans virus last week when I was using Outlook as my primary email program. This virus only effects Outlook users, so while I was trying to figure out how I got it and clean it, I switched to using Outlook Express. Apparantly, it's a good thing I did because this virus must be still making the rounds on this list. My advice to anyone... the best way to avoid most of the viruses and worms that make their rounds in email, is to download Eudora Light and us it as your email program instead of MS Outlook or MS Outlook Express. Most viruses are designed to primarily infect only the Microsoft products that work in conjunction with Windows. If you stop using Outlook and Outlook Express, you will drastically cut the possibility of being infected with an email virus or worm. Here is the complete information about this virus (its full name is w32/[email protected]) and how to get rid of it: W32/[email protected] is a Medium Risk Virus Virus Characteristics: This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release). When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\kernel32=kern32.exe Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry: HKEY_USERS\Software\Microsoft\Windows NT\ CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords. The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/[email protected]): Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif The message body may contain the text: Take a look to the attachment. AVERT first received an intended version of this worm (10,623 bytes) on April 11 from a company in New Zealand. Indications Of Infection: - Presence of the file %WinDir%\INETD.EXE - Presence of the file %SysDir%\KERN32.EXE - Email correspondence noting that you've sent them an attachment when you did not. Method Of Infection: This worm utilizes MAPI messaging to mail itself to regular email correspondence. It will arrive as an attachment that is 13,312 bytes in length and uses one of the following names (note that some of these filenames are also associated with other threats, such as W95/[email protected]): Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif The message body may contain the text: Take a look to the attachment. Removal Instructions: Use specified engine and DAT files for detection and removal. Manual Removal Instructions Restart the computer in MS-DOS mode Delete the files mentioned Restart Windows Delete the registry keys as mentioned Windows ME Info: NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder. Disabling the Restore Utility 1. Right click the My Computer icon on the Desktop. 2. Click on the Performance Tab. 3. Click on the File System button. 4. Click on the Troubleshooting Tab. 5. Put a check mark next to "Disable System Restore". 6. Click the Apply button. 7. Click the Close button. 8. Click the Close button again. 9. You will be prompted to restart the computer. Click Yes. NOTE: The Restore Utility will now be disabled. 10. Restart the computer in Safe Mode. 11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's. 12. After removing the desired files, restart the computer normally. NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active. Virus Information: Discovery Date: 4/11/01 Origin: Unknown Length: 13,312 Type: Virus SubType: Internet Worm Risk Assessment: Medium Aliases Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP), [email protected] (NAV)