Following is McAfee.com's latest information concerning the Bad trans virus. It seems to be making its way thru several of the rootsweb lists via the personal email lists and is casuing quite a stir. Please be aware that you should download the latest dat files from your virus protection provider. > > Name: W32/Badtrans@MM > > Characteristics: > UPDATE November 25, 2001 20:30 PST AVERT has raised the Risk Assessment on > the Badtrans.b variant to Medium On Watch for corporate users and High for > home users. We have received many reports that the virus is being seen and > stopped at corporate gateways and mailservers. However, we continue to get > reports from the home user segment that they have become infected. This is > due to the fact that home users tend to update their DAT files less > frequently and often do not have VirusScan configured to scan compressed > files which is required for detection. > At the bottom of this page is an extra.dat file for those who have not > updated and would like to make a quick update without downloading the > latest DATs. AVERT does always recommend updating to the latest DATs. They > are located <A > href="http://www.mcafeeb2b.com/naicommon/download/dats/find.asp">here > </A>. > As noted below, the virus is detected as W32/Badtrans@MM as the detection > technology, which identified the virus first, uses this naming convention > for both variants of the Badtrans virus. > This new variant of Badtrans drops a password stealing trojan which is > detected as a variant of PWS-AV since the 4172 DATs. > UPDATE November 24, 2001 15:30 PST A new variant of Badtrans has been > discovered. This is considered to be variant .b by some companies. > VirusScan and other McAfee products with DAT files 4168 are protected from > this variant without any updating from that DAT. The variant will be > detected as W32/Badtrans@MM when scanning compressed files. > This variant is a Medium risk as is the first variant. Your risk of > infection is higher if you do not have the 4168 DAT files or above. See > the <A > href="http://vil.admin.nai.com/asp_content/UpdateVirus.asp?action=2&amp;ta > rget=0&amp;virus_k=99069#Bvariant">.b section below</A> for more details > on this variant. > Badtrans.a details: This mass mailing worm attempts to send itself using > Microsoft Outlook by replying to unread email messages. It also drops a > remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; > <I>detected heuristically as New Backdoor prior to the 4134 DAT > release</I>). > When run, the worm displays a message box entitled, "Install error" which > reads, "File data corrupt: probably due to a bad data transmission or bad > disk access." A copy is saved into the WINDOWS directory as INETD.EXE and > an entry is entered into the WIN.INI file to run INETD.EXE at startup. > KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected > as PWS-AV (was DUNpws.av) are written to the WINDOWS SYSTEM directory, and > a registry entry is created to load the trojan upon system startup. > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kerne > l32=kern32.exe > <I>Note: Under WinNT/2K, an additional registry key value is entered > instead of a WIN.INI entry: > HKEY_USERS\Software\Microsoft\Windows > NT\CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE </I> > Once running, the trojan attempts to mail the victim's IP Address to the > author. Once this information is obtained, the author can connect to the > infected system via the Internet and steal personal information such as > usernames, and passwords. In addition, the trojan also contains a > keylogger program which is capable of capturing other vital information > such as credit card and bank account numbers and passwords. > The next time Windows is loaded, the worm attempts to email itself by > replying to unread messages in Microsoft Outlook folders. The worm will be > attached to these messages using one of the following filenames (note that > some of these filenames are also associated with other threats, such as <A > target=_blank > href="http://vil.nai.com/vil/dispVirus.asp?virus_k=98797">W95/MTX.gen@M</A > >): > Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif > New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr > README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif > Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif > The message body may contain the text:Take a look to the > attachment.<I>AVERT first received an intended version of this worm > (10,623 bytes) on April 11 from a company in New Zealand.</I> <A > name=Bvariant> > Badtrans.b details: When run, this variant copies itself to the WINDOWS > SYSTEM directory as KERNEL32.EXE and creates a registry run key to load > itself at startup: > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ > RunOnce\kernel32=kernel32.exe This variant replies to incoming email > messages and sends itself to email addresses found in "*.asp" and "*.ht*" > files. The sender address used by the virus when emailing itself to others > may be chosen from the following list: <FONT size=3><XMP>" Anna" > <aizzo@home.com> > "JUDY" <JUJUB271@AOL.COM> > "Rita Tulliani" <powerpuff@videotron.ca> > "Tina" <tina0828@yahoo.com> > "Kelly Andersen" <Gravity49@aol.com> > "Andy" <andy@hweb-media.com> > "Linda" <lgonzal@hotmail.com> > "Mon S" <spiderroll@hotmail.com> > "Joanna" <joanna@mail.utexas.edu> > "JESSICA BENAVIDES" <jessica@aol.com> > " Administrator" <administrator@border.net> > " Admin" <admin@gte.net> > "Support" <support@cyberramp.net> > "Monika Prado" <monika@telia.com> > "Mary L. Adams" <mary@c-com.net> > </XMP></FONT> > > Additionally, the virus prepends the return address used with an "_" > (underscore). Thus replying to an infected message will fail to reach the > intended recipient. > The message attachment name is created from three sections. The first part > is chosen from the possibilities: > fun Humor docs info Sorry_about_yesterday Me_nude Card SETUP stuff > YOU_are_FAT! HAMSTER news_doc New_Napster_Site README images Pics The > second part is chosen from the possibilities: > DOC. .MP3. .ZIP. and the last part from the possibilities: > pif scr This new variant uses the iframe exploit and incorrect MIME header > to run automatically on unpatched systems. See <A target=_blank > href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s > ecurity/bulletin/MS01-020.asp">Microsoft Security Bulletin (MS01-020)</A> > for more information and a patch. > It also drops a password-stealing trojan (KDLL.DLL), detected as PWS-AV > variant with the 4172 DATs or greater. > > To check your system for this Virus, and to learn how to protect yourself > from computer viruses, visit the McAfee.com Clinic at > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > For complete information on this Virus, view McAfee.com's Virus > Information Library listing at > http://vil.mcafee.com/dispVirus.asp?virus_k=99069. > > This email was sent to you by Joyce Reece > >