Just now received this virus on the NOBLE list with MY subject line from a message I sent out about an hour and a half ago. When I clicked on the new email to read it, it wanted to either open or save to disk an attachment called. New_Napster_Site.MP3.pif. It shows as coming from "MSN" with an address of MSN1@anet.net looking closer it is from rockford@anet.net Must have come thru the NOBLE list. Larry ----- Original Message ----- From: "jreece" <jreece@icx.net> To: <TNMEIGS-L@rootsweb.com> Sent: Monday, November 26, 2001 6:27 PM Subject: [{Meigs Co., TN}] Fw: Computer Virus Information from a Friend! > > > Following is McAfee.com's latest information concerning the Bad trans virus. > It seems to be making its way thru several of the rootsweb lists via the > personal email lists and is casuing quite a stir. Please be aware that you > should download the latest dat files from your virus protection provider. > > > > > Name: W32/Badtrans@MM > > > > Characteristics: > > UPDATE November 25, 2001 20:30 PST AVERT has raised the Risk Assessment on > > the Badtrans.b variant to Medium On Watch for corporate users and High for > > home users. We have received many reports that the virus is being seen and > > stopped at corporate gateways and mailservers. However, we continue to get > > reports from the home user segment that they have become infected. This is > > due to the fact that home users tend to update their DAT files less > > frequently and often do not have VirusScan configured to scan compressed > > files which is required for detection. > > At the bottom of this page is an extra.dat file for those who have not > > updated and would like to make a quick update without downloading the > > latest DATs. AVERT does always recommend updating to the latest DATs. They > > are located <A > > href="http://www.mcafeeb2b.com/naicommon/download/dats/find.asp">here > > </A>. > > As noted below, the virus is detected as W32/Badtrans@MM as the detection > > technology, which identified the virus first, uses this naming convention > > for both variants of the Badtrans virus. > > This new variant of Badtrans drops a password stealing trojan which is > > detected as a variant of PWS-AV since the 4172 DATs. > > UPDATE November 24, 2001 15:30 PST A new variant of Badtrans has been > > discovered. This is considered to be variant .b by some companies. > > VirusScan and other McAfee products with DAT files 4168 are protected from > > this variant without any updating from that DAT. The variant will be > > detected as W32/Badtrans@MM when scanning compressed files. > > This variant is a Medium risk as is the first variant. Your risk of > > infection is higher if you do not have the 4168 DAT files or above. See > > the <A > > href="http://vil.admin.nai.com/asp_content/UpdateVirus.asp?action=2&ta > > rget=0&virus_k=99069#Bvariant">.b section below</A> for more details > > on this variant. > > Badtrans.a details: This mass mailing worm attempts to send itself using > > Microsoft Outlook by replying to unread email messages. It also drops a > > remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; > > <I>detected heuristically as New Backdoor prior to the 4134 DAT > > release</I>). > > When run, the worm displays a message box entitled, "Install error" which > > reads, "File data corrupt: probably due to a bad data transmission or bad > > disk access." A copy is saved into the WINDOWS directory as INETD.EXE and > > an entry is entered into the WIN.INI file to run INETD.EXE at startup. > > KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected > > as PWS-AV (was DUNpws.av) are written to the WINDOWS SYSTEM directory, and > > a registry entry is created to load the trojan upon system startup. > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kerne > > l32=kern32.exe > > <I>Note: Under WinNT/2K, an additional registry key value is entered > > instead of a WIN.INI entry: > > HKEY_USERS\Software\Microsoft\Windows > > NT\CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE </I> > > Once running, the trojan attempts to mail the victim's IP Address to the > > author. Once this information is obtained, the author can connect to the > > infected system via the Internet and steal personal information such as > > usernames, and passwords. In addition, the trojan also contains a > > keylogger program which is capable of capturing other vital information > > such as credit card and bank account numbers and passwords. > > The next time Windows is loaded, the worm attempts to email itself by > > replying to unread messages in Microsoft Outlook folders. The worm will be > > attached to these messages using one of the following filenames (note that > > some of these filenames are also associated with other threats, such as <A > > target=_blank > > href="http://vil.nai.com/vil/dispVirus.asp?virus_k=98797">W95/MTX.gen@M</A > > >): > > Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif > > New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr > > README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif > > Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif > > The message body may contain the text:Take a look to the > > attachment.<I>AVERT first received an intended version of this worm > > (10,623 bytes) on April 11 from a company in New Zealand.</I> <A > > name=Bvariant> > > Badtrans.b details: When run, this variant copies itself to the WINDOWS > > SYSTEM directory as KERNEL32.EXE and creates a registry run key to load > > itself at startup: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ > > RunOnce\kernel32=kernel32.exe This variant replies to incoming email > > messages and sends itself to email addresses found in "*.asp" and "*.ht*" > > files. The sender address used by the virus when emailing itself to others > > may be chosen from the following list: <FONT size=3><XMP>" Anna" > > <aizzo@home.com> > > "JUDY" <JUJUB271@AOL.COM> > > "Rita Tulliani" <powerpuff@videotron.ca> > > "Tina" <tina0828@yahoo.com> > > "Kelly Andersen" <Gravity49@aol.com> > > "Andy" <andy@hweb-media.com> > > "Linda" <lgonzal@hotmail.com> > > "Mon S" <spiderroll@hotmail.com> > > "Joanna" <joanna@mail.utexas.edu> > > "JESSICA BENAVIDES" <jessica@aol.com> > > " Administrator" <administrator@border.net> > > " Admin" <admin@gte.net> > > "Support" <support@cyberramp.net> > > "Monika Prado" <monika@telia.com> > > "Mary L. Adams" <mary@c-com.net> > > </XMP></FONT> > > > > Additionally, the virus prepends the return address used with an "_" > > (underscore). Thus replying to an infected message will fail to reach the > > intended recipient. > > The message attachment name is created from three sections. The first part > > is chosen from the possibilities: > > fun Humor docs info Sorry_about_yesterday Me_nude Card SETUP stuff > > YOU_are_FAT! HAMSTER news_doc New_Napster_Site README images Pics The > > second part is chosen from the possibilities: > > DOC. .MP3. .ZIP. and the last part from the possibilities: > > pif scr This new variant uses the iframe exploit and incorrect MIME header > > to run automatically on unpatched systems. See <A target=_blank > > href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s > > ecurity/bulletin/MS01-020.asp">Microsoft Security Bulletin (MS01-020)</A> > > for more information and a patch. > > It also drops a password-stealing trojan (KDLL.DLL), detected as PWS-AV > > variant with the 4172 DATs or greater. > > > > To check your system for this Virus, and to learn how to protect yourself > > from computer viruses, visit the McAfee.com Clinic at > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > > > For complete information on this Virus, view McAfee.com's Virus > > Information Library listing at > > http://vil.mcafee.com/dispVirus.asp?virus_k=99069. > > > > This email was sent to you by Joyce Reece > > > > > > > ============================== > Visit Ancestry.com for a FREE 14-Day Trial and enjoy access to the #1 > Source for Family History Online. Go to: > http://www.ancestry.com/rd/redir.asp?targetid=702&sourceid=1237