Thanks Gene for the heads-up. It's appreciated Rene'e Davis - Assistant Research Director Pennington Research Association-Group 9 www.penningtonresearch.org ----- Original Message ----- From: "Gene Pennington" <genepenn1@home.com> To: "PRA-L" <PRA-L@rootsweb.com> Cc: "William J. Pennington" <bcpenn@okeechobee.com>; "Barrie Petty" <sunhue@efortress.com>; "Bobby Pennington" <bobpenn1@home.com>; "Carmen Johnson" <carmenmjo@cableone.net>; "Hal Pennington" <penningt@socket.net>; "Jeanne Thomas" <genealogy_jeanne@hotmail.com>; "Jim Pennington" <jwpslp@bellsouth.net>; "Joanne Pennington" <LizPenn1@aol.com>; "Lana Pennington" <lacroix@ihug.co.nz>; "Martha Mourning" <mmourn@binghamton.edu>; "Mike Pennington" <pendrak@airmail.net>; "Nick Penington" <npenington@netmail.hscbklyn.edu>; "Paul Pennington" <paulpenn@knology.net>; "Ralph L. Pennington" <randspenn@tanet.net>; "Rene'e Davis" <fogle@home.com>; "Ric Blake" <RBlake2675@aol.com>; "Rod Pennington" <rodpenn@iquest.net>; "Ruth Voshell Stonesifer" <rstone17@epix.net>; "Shaunta Knibb" <shaunta@mindspring.com>; "Shirley Erickson" <shirley@htcomp.net>; "Sue Webb" <MSwebb2@aol.com>; "Viola Ell" <vigeo2@earthlink.net>; "Al Matthews" <ALMatthewsJR@aol.com>; "Alice Sanders" <asanders@tdn.com>; "Ann Bailey" <av.bailey@starpower.net>; "Barbara Pennington" <bpen1929@cwnet.com>; "Chuck Pennington" <cpen1927@cwnet.com>; "John L. Pennington" <jpenning1@home.com>; "Rod Swanson" <rswa105449@aol.com>; "'Margaret Wood (E-mail)'" <me2wood@aol.com>; "'Flo Readiger (E-mail)'" <flomae@swbell.net> Sent: Monday, November 26, 2001 10:02 PM Subject: Virus Warning: B a d t r a n s Exploiting Old IE Vulnerability > I have received three (3) e-mail messages today infected with this > virus! Be careful! > > Gene Pennington (Group 7) > Research Director > Pennington Research Association > www.penningtonresearch.org > > > To help you, here is the text of a message I received today from an > associate, Software Engineering Unlimited (SEU) and his advice: > > ================================== > > If you already followed my recommendations to update Internet Explorer > (to protect from the N i m d a worm virus) and have your virus > definitions updated daily, you are safe. Unfortunately it appears that > a lot of people have still not updated their version of Internet > Explorer (IE) because a new worm virus named B a d t r a n s, which > takes advantage of the same vulnerability in IE as the N i m d a worm > virus, is spreading rapidly starting on last Friday. MessageLabs (a > Managed Service Provider (MSP) specializing in e-mail security) was > seeing 350 copies/hour over the weekend (which is extremely high volume > of infected messages given it was the weekend) and over 600/hour > starting early this morning (this is a record). > > The virus is known by the names W32.Badtrans.B@mm (Symantec), > W32/Badtrans.b@MM (McAfee), TROJ_BADTRANS.B (Trend), BadTrans > (F-Secure), and others. For more information, see > http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html, > http://vil.nai.com/vil/virusSummary.asp?virus_k=99069, > http://www.messagelabs.com/viruseye/report.asp?id=86 > > The virus initial infected largely in the home user community. The home > user community is often fertile ground for new viruses, because home > users do not tend to have comprehensive virus protection and do not > update their software with security fixes quickly. Following the wide > scale spread of the virus by home user accounts over the weekend, the > virus then lay dormant in company e-mail servers waiting for Monday > morning. > > The B a d t r a n s worm virus was detected heuristically by most > virus protection software before updated definition files were > available. All the virus protection vendors released definitions to > detect the virus over the weekend and users who update their definitions > daily were protected before Monday morning. A new definition file is > needed to detect the b variant. > > The b variant is a mutation of the original W32.BadTrans-mm. > > > Threat Analysis > --------------- > > - Large scale e-mailing > > - Compromised security > Installs keystroke logging Trojan KDLL.DLL > used to send confidential information (passwords, credit card > details etc.) from infected computers to an email address of > the virus writer. > > > Message Summary > --------------- > > The worm is contained in an e-mail attachment with one of several names > and a combination of two appended extensions (double extensions). The > second (final, effective) extension is .pif or .scr. You need to have > Windows Explorer configured to not hide know extensions so that you can > see the real extension of the attachment (one of my long-standing and N > i m d a protection recommendations). Otherwise the attachment will > look like a harmless .doc, .mp3, or .zip file. > > > Infection Methods > ----------------- > > The virus arrives via e-mail and exploits the vulnerability in Internet > Explore described in Microsoft Security Bulletin MS01-020, > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp, which > means that the virus can execute on reading or previewing the infected > message from within Outlook (Express) - it is not necessary to open any > attachment! The security bulletin was released in March 2001 and IE > should have been patched a long time ago, but many people still have not > installed this patch. The patch for security bulletin MS01-020 has been > superceded by the patch included in MS01-027, which has been superceded > by the patch included in MS01-055, > http://www.microsoft.com/technet/security/bulletin/MS01-055.asp. > > If executed, the worm will mass-mail itself, probably as replies to > unread messages in your inbox. > > > What You Should Do Now > ---------------------- > > This should sound familiar because it is some of the same > recommendations as protection from N i m d a. All of these > recommendations apply if you have not already done them (including to > your home computer). > > (1) Install the updates to Internet Explorer. Any of the patches > MS01-020, MS01-027, or MS01-055 will protect from the vulnerability used > by the B a d t r a n s and N i m d a worm viruses. You cannot apply > MS01-055 unless you have upgraded to SP2 for IE 5.01 or IE 5.5, so it > clearly makes sense to get SP2 install and not apply MS01-027. If you > are going to update IE, it makes sense to update to IE version 6, unless > you are still running Windows 95 (IE 6 requires Windows 98 or later). IE > 6.0 Caveat: If you using Windows 95, 98, 98SE or ME, and choose to > eliminate this vulnerability by upgrading from an affected version to IE > 6, be sure that you include the Outlook Express component (even if you > use Outlook and not Outlook Express) when installing Internet Explorer, > as discussed in the security bulletin FAQ. > > (2) The Microsoft Outlook Email Security Update, Outlook 2002, and > Outlook Express 6 can be configured to prevent certain e-mail > attachments from arriving in your inbox. The .pif and .scr extensions > used by the B a d t r a n s worm virus are in the list of unsafe file > types not allowed in attachments. If you have not already installed the > appropriate security update or upgraded to Outlook Express 6, consider > installing these upgrades. Theses updates might not be for everyone. If > you need more information about whether or not these updates would be > appropriate for you, please ask. > > (3) Disable the preview pane for all folders in Outlook (Express). > > (4) Configure Windows Explorer to not hide extensions for known file > types. > > (5a) Configure your virus protection software to scan files with > extensions .pif and .scr. SEU scanning all file types in e-mail > messages and now recommends scanning all file types with real-time file > system protection. > > And > > (5b) Configure it to use the highest level of heuristic detection. > Configure virus protection software to update virus definitions daily. > > Any ONE of these recommendations would have protected you from the B a > d t r a n s worm virus. However, please perform ALL the > recommendations. > > End > > > >