I thought this would help everyone. Sgt. George has given permission to post this to any list. I hope it is OK with the List Mom. Barbara Vestal Byrd The below is from Sgt George on the VIRUS-DISCUSSION-LIST: > >OK, let's see if I can explain this so that everyone understands >how these latest viruses, trojans, and worms work. > >Let's start with the very latest, W32/Badtrans@MM, also seen >as W32/Badtrans@M. Here are other aliases that have been >found: > >Backdoor-NK.svr , >BadTrans (F-Secure), >I-Worm.Badtrans (AVP), >W32.Badtrans.13312@mm (NAV). > >There are several things about this one that need to be discussed, >how it is spread, and the danger to the infected user's computer. > >1) W32/Badtrans@MM is received as a REAL attachment >(more about "real" vs. "inline" attachments later). It comes as an >actual file attachment, which is downloaded to a user's computer >into whatever directory is set up for such downloads. For >Eudora, Pegasus, and other "stand alone" email programs, >this will be something like "Downloads", "Attachments", etc. >For MS Outlook and MS Outlook Express, I'm not sure where >a separate attached file is placed. > >2) A user's computer is NOT infected UNTIL he/she clicks on >the attachment and "runs" it, that is, executes it so that it does >whatever it's supposed to do. > >3) Once a user clicks the attachment, it installs itself on to the >user's computer. It then does two things: > > a) It propagates itself so that every time the system is rebooted, >it mails itself to the sender of EVERY UNREAD EMAIL in the user's >MS Outlook FOLDERS. Notice that I say "folders", not "folder". >That means that if you filter incoming email into various created >folders, this trojan/virus searches all of them, not just the IN BOX. > > HERE'S THE REALLY DIRTY PART: The virus looks through >all those unread emails; it finds the originator of them (FROM:) >and REPLIES to the person who sent the original email. BUT, >it also attaches a copy of the infected file and mails it along >with the "reply". Thus, if John Doe sends an email to a person, >or to a Mailing List, when that email ends up on another user's >email program, and that other user is infected and hasn't read >John's email, John receives a reply containing a copy of the >virus as a separate clickable file. > > HERE'S WHY USERS KEEP INSISTING THAT VIRUSES CAN >BE SPREAD BY ROOTSWEB MAILING LISTS, AND WHY >THEY THINK THE ATTACHMENT CAME THROUGH A >MAILING LIST: Let me give an example - > > John Doe sends a post to the SMITH-L Mailing List. John >Doe's system is NOT infected. Every one of the 2,000+ users >of the SMITH-L Mailing List receives a copy of John's >email. One of these users, let's call him Bill Smith, has the >W32/Badtrans@MM virus on his system. > > Now, Bill has a copy of John's email in his Outlook program. >He doesn't read it right away. He reboots his computer and, >when Windows restarts, the virus looks through Bill's email >in Outlook. It sends a reply to the sender of EVERY unread >email, AND attaches a copy of itself as a separate attachment. >It copies all the original headers, including those that show >the email came through SMITH-L@rootsweb.com. > > Then John, the original sender of the email, receives a >"reply" to his email, from Bill. John looks at the email and >sees that it is a reply to his original post. He also sees >SMITH-L@rootsweb.com in several of the headers. As >far as he's concerned, he has received a normal reply back >through the Mailing List. > > If John is a "newbie", one of two things happen: > > I) He sees an attached file, with a message something like, >"Take a look to the attachment." He says to himself, "This >Bill Smith is answering my original post, AND he has sent >me an attachment which is probably a file having something >to do with information on my query." He clicks the attachment; >thus ANOTHER SMITH-L Mailing List user is infected. > >or > > II) He is savvy enough to know NOT to open the attachment, >BUT from the looks of the "reply" it appears that it came >back to him via the Mailing List. He screams and curses, >and says, "I knew it! I don't care what the Listowners and >the folks at Rootsweb say, these virus attachments ARE >coming through the Mailing List!" He then posts angry >posts to all the Mailing Lists to which he subscribes, >calling the Listowners and Rootsweb people liars. He >thus starts another round of uninformed posts about how >attachments CAN be passed through Mailing Lists, and >about how viruses CAN also be passed through the Lists. > > In short, this virus/trojan tricks recipients of infected >email into thinking the virus is being propagated via a >Mailing List. NOT SO !!!!! > > b) The other thing this virus/trojan does is this: > > Once running, the trojan attempts to mail the victim's IP >Address to the author. Once this information is obtained, >the author can connect to the infected system via the Internet >and steal personal information such as usernames, and passwords. >In addition, the trojan also contains a keylogger program which is >capable of capturing other vital information such as credit card >and bank account numbers and passwords. > >4) THIS IS WHY EVERY COMPUTER USER MUST HAVE >A FIREWALL ON HIS/HER COMPUTER !!!!! It doesn't matter >whether you are using a dialup modem, a cable modem, DSL, >or whatever, you NEED a firewall. A firewall is nothing more >than a small utility that prevents malicious people from entering >your system through a "back door". Once such a person has >your IP address, he/she can connect to your computer any >time your modem is connected, which is 27/7 for everyone but >those using a dialup modem. Of course, a dialup modem is >accessible only when you are actually "online". > >5) So, PLEASE, let's stop this latest round of blaming Rootsweb >Mailing Lists for allowing attachments, and for propagating >viruses, trojans, worms, etc. I know that in the future, as new >users subscribe, many of them will come to the same erroneous >conclusions and start the thread all over again. They should >be politely, but firmly, advised of the true situation. > >6) VERY IMPORTANT POINT: Some users insist that email >from Mailing Lists always comes as attachments. Not so! >SOME email programs, such as MS Outlook/Outlook Express >and AOL, convert ALL List email into attachments. This is >one of the most serious problems with such programs, and >causes users to think that they are receiving "real" attachments. > > "REAL" attachments are FILES that are outside the body >of an email, and come along with the email as a "rider". Other >so-called "attachments" are those that contain the actual text >from the body of an email. This is especially true for those >subscribers to the Digest Mode of Lists. MS Outlook and >AOL extract the body text and put it into "attachments". > >To the poster who was worried about "viruses going around >on the GEN-NEWBIE Mailing List": I hope you can see from >the above that the viruses are being sent from infected users' >computers, users who happen to be receiving email from the >List. > >This point MUST be made: If any user receives an infected >email, or an infected attached file, and it appears to have >come through a Mailing List, IT DID NOT. Blame the >problems, and resulting confusion, on a virus-writer who >is a little smarter than the average gomer. > >To end, here's a list of the KNOWN file-names that the >W32/Badtrans@MM virus/trojan uses: > >Card.pif >docs.scr >fun.pif >hamster.ZIP.scr >Humor.TXT.pif >images.pif >New_Napster_Site.DOC.scr >news_doc.scr >Me_nude.AVI.pif >Pics.ZIP.scr >README.TXT.pif >s3msong.MP3.pif >searchURL.scr >SETUP.pif >Sorry_about_yesterday.DOC.pif >YOU_are_FAT!.TXT.pif > >So far, I have received virus attachments with the names >"README.TXT.pif" and "Sorry_about-yesterday.DOC.pif". > >Anyone reading this has my permission to copy it and >repost to individuals or other Mailing Lists. > >SgtGeorge >George W. Durman >VIRUS-DISCUSSION Listowner > >==== VIRUS-DISCUSSION Mailing List ====