Joyce G. Reece, Rootsweb Listminder for South East Tennessee, North East Tennessee, Meigs County Tennessee and the surnames of Raper, Gilbreath, Knuckles and Hembree ----- Original Message ----- From: <TNMeigs-admin@rootsweb.com> To: <TNMeigs@rootsweb.com> Sent: Friday, July 13, 2001 4:29 PM Subject: Computer Virus Information from a Friend! > Greetings, TNMeigs@rootsweb.com > > I thought you would be interested in knowing about this computer Virus... > > Name: W32/Badtrans@MM > > Characteristics: > This mass mailing worm attempts to send itself using Microsoft Outlook by > replying to unread email messages. It also drops a remote access trojan > (detected as Backdoor-NK.svr with the 4134 DATs; <I>detected heuristically > as New Backdoor prior to the 4134 DAT release</I>). > When run, the worm displays a message box entitled, "Install error" which > reads, "File data corrupt: probably due to a bad data transmission or bad > disk access." A copy is saved into the WINDOWS directory as INETD.EXE and > an entry is entered into the WIN.INI file to run INETD.EXE at startup. > KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected > as DUNpws.av) are written to the WINDOWS SYSTEM directory, and a registry > entry is created to load the trojan upon system startup. > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe > <I>Note: Under WinNT/2K, an additional registry key value is entered > instead of a WIN.INI entry: > HKEY_USERS\Software\Microsoft\Windows > NT\CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE </I> > Once running, the trojan attempts to mail the victim's IP Address to the > author. Once this information is obtained, the author can connect to the > infected system via the Internet and steal personal information such as > usernames, and passwords. In addition, the trojan also contains a > keylogger program which is capable of capturing other vital information > such as credit card and bank account numbers and passwords. > The next time Windows is loaded, the worm attempts to email itself by > replying to unread messages in Microsoft Outlook folders. The worm will be > attached to these messages using one of the following filenames (note that > some of these filenames are also associated with other threats, such as <A > target=_blank > href="http://vil.nai.com/vil/dispVirus.asp?virus_k=98797">W95/MTX.gen@M</A > >): > Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif > New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr > README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif > Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif > The message body may contain the text:Take a look to the > attachment.<I>AVERT first received an intended version of this worm > (10,623 bytes) on April 11 from a company in New Zealand.</I> > > To check your system for this Virus, and to learn how to protect yourself > from computer viruses, visit the McAfee.com Clinic at > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > For complete information on this Virus, view McAfee.com's Virus > Information Library listing at > http://vil.mcafee.com/dispVirus.asp?virus_k=99069. > > This email was sent to you by Joyce Reece > > >