This is being sent with permission of the original poster "Sgt George" who really knows his "stuff" about viruses. It's kind of technical, but read it all the way through for an explanation of what is going on. It's affecting yahoogroups lists as well as Rootsweb. Sgt George has given permission to share this information with others. If you do , please take my comments off. Thanks to Emma, Shamrock listmember , for sharing this. Maura, listowner Shamrock, CountyCork, Waterford, SlovakRoots ----- Original Message ----- From: "Big Sister - Yshire Listowner" <yshireuk@yahoo.co.uk> From: VIRUS-DISCUSSION-L@rootsweb.com Subject: [VIRUS] FROM VIRUS-DISCUSSION LISTOWNER - EVERYONE PLEASE READ OK, let's see if I can explain this so that everyone understands how these latest viruses, trojans, and worms work. Let's start with the very latest, W32/Badtrans@MM, also seen as W32/Badtrans@M. Here are other aliases that have been found: Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP), W32.Badtrans.13312@mm (NAV). There are several things about this one that need to be discussed, how it is spread, and the danger to the infected user's computer. 1) W32/Badtrans@MM is received as a REAL attachment (more about "real" vs. "inline" attachments later). It comes as an actual file attachment, which is downloaded to a user's computer into whatever directory is set up for such downloads. For Eudora, Pegasus, and other "stand alone" email programs, this will be something like "Downloads", "Attachments", etc. For MS Outlook and MS Outlook Express, I'm not sure where a separate attached file is placed. 2) A user's computer is NOT infected UNTIL he/she clicks on the attachment and "runs" it, that is, executes it so that it does whatever it's supposed to do. 3) Once a user clicks the attachment, it installs itself on to the user's computer. It then does two things: a) It propagates itself so that every time the system is rebooted, it mails itself to the sender of EVERY UNREAD EMAIL in the user's MS Outlook FOLDERS. Notice that I say "folders", not "folder". That means that if you filter incoming email into various created folders, this trojan/virus searches all of them, not just the IN BOX. HERE'S THE REALLY DIRTY PART: The virus looks through all those unread emails; it finds the originator of them (FROM:) and REPLIES to the person who sent the original email. BUT, it also attaches a copy of the infected file and mails it along with the "reply". Thus, if John Doe sends an email to a person, or to a Mailing List, when that email ends up on another user's email program, and that other user is infected and hasn't read John's email, John receives a reply containing a copy of the virus as a separate clickable file. HERE'S WHY USERS KEEP INSISTING THAT VIRUSES CAN BE SPREAD BY ROOTSWEB MAILING LISTS, AND WHY THEY THINK THE ATTACHMENT CAME THROUGH A MAILING LIST: Let me give an example - John Doe sends a post to the SMITH-L Mailing List. John Doe's system is NOT infected. Every one of the 2,000+ users of the SMITH-L Mailing List receives a copy of John's email. One of these users, let's call him Bill Smith, has the W32/Badtrans@MM virus on his system. Now, Bill has a copy of John's email in his Outlook program. He doesn't read it right away. He reboots his computer and, when Windows restarts, the virus looks through Bill's email in Outlook. It sends a reply to the sender of EVERY unread email, AND attaches a copy of itself as a separate attachment. It copies all the original headers, including those that show the email came through SMITH-L@rootsweb.com. Then John, the original sender of the email, receives a "reply" to his email, from Bill. John looks at the email and sees that it is a reply to his original post. He also sees SMITH-L@rootsweb.com in several of the headers. As far as he's concerned, he has received a normal reply back through the Mailing List. If John is a "newbie", one of two things happen: I) He sees an attached file, with a message something like, "Take a look to the attachment." He says to himself, "This Bill Smith is answering my original post, AND he has sent me an attachment which is probably a file having something to do with information on my query." He clicks the attachment; thus ANOTHER SMITH-L Mailing List user is infected. or II) He is savvy enough to know NOT to open the attachment, BUT from the looks of the "reply" it appears that it came back to him via the Mailing List.   He screams and curses, and says, "I knew it! I don't care what the Listowners and the folks at Rootsweb say, these virus attachments ARE coming through the Mailing List!" He then posts angry posts to all the Mailing Lists to which he subscribes, calling the Listowners and Rootsweb people liars. He thus starts another round of uninformed posts about how attachments CAN be passed through Mailing Lists, and about how viruses CAN also be passed through the Lists. In short, this virus/trojan tricks recipients of infected email into thinking the virus is being propagated via a Mailing List. NOT SO !!!!! b) The other thing this virus/trojan does is this: Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords. 4) THIS IS WHY EVERY COMPUTER USER MUST HAVE A FIREWALL ON HIS/HER COMPUTER !!!!! It doesn't matter whether you are using a dialup modem, a cable modem, DSL, or whatever, you NEED a firewall. A firewall is nothing more than a small utility that prevents malicious people from entering your system through a "back door". Once such a person has your IP address, he/she can connect to your computer any time your modem is connected, which is 27/7 for everyone but those using a dialup modem. Of course, a dialup modem is accessible only when you are actually "online". 5) So, PLEASE, let's stop this latest round of blaming Rootsweb Mailing Lists for allowing attachments, and for propagating viruses, trojans, worms, etc. I know that in the future, as new users subscribe, many of them will come to the same erroneous conclusions and start the thread all over again. They should be politely, but firmly, advised of the true situation. 6) VERY IMPORTANT POINT: Some users insist that email from Mailing Lists always comes as attachments. Not so! SOME email programs, such as MS Outlook/ Outlook Express and AOL, convert ALL List email into attachments. This is one of the most serious problems with such programs, and causes users to think that they are receiving "real" attachments. "REAL" attachments are FILES that are outside the body of an email, and come along with the email as a "rider". Other so-called "attachments" are those that contain the actual text from the body of an email. This is especially true for those subscribers to the Digest Mode of Lists. MS Outlook and AOL extract the body text and put it into "attachments". To the poster who was worried about "viruses going around on the GEN-NEWBIE Mailing List": I hope you can see from the above that the viruses are being sent from infected users'computers, users who happen to be receiving email from the List. This point MUST be made: If any user receives an infected email, or an infected attached file, and it appears to have come through a Mailing List, IT DID NOT. Blame the problems, and resulting confusion, on a virus-writer who is a little smarter than the average gomer. To end, here's a list of the KNOWN file-names that the W32/Badtrans@MM virus/trojan uses: Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif So far, I have received virus attachments with the names "README.TXT.pif" and "Sorry_about-yesterday.DOC.pif". Anyone reading this has my permission to copy it and repost to individuals or other Mailing Lists. SgtGeorge George W. Durman VIRUS-DISCUSSION Listowner Endorsed by Kevin P Dodson Endorsed by Tracy - Listowner, Eng-Yorkshire ______________________________________________ ==============================