In a message dated 05/24/2001 9:50:00 PM Mountain Daylight Time, gronj@home.com writes: > Do not open it! I received an > attached .scr file the other day that I did not trust. It had a very short > note that simply said see attached file and it was in reference to the Edmon > JONES will note where I told you that it had been posted. I believe that it > was sent to me and not the list. I did not open it and deleted it. I was > curious, but did not have a very good feeling about it. > > The W32 BAD TRANS worm has been making its way through the lists. It works by sending itself out to any unanswered messages in a person's mail box, so if you've posted to a list, and someone on the list has that message unopened when he/she opens the attachment--you get the next email. I've gotten about four versions of it from one post on the VA-Harris list. Actually, I orginally thought it was this list, but on further thought decided it was Harris. There are a number of extensions--I got one that was .scr, but there's also a .doc extension for the same worm--it is particularly appealing to all of us, of course--just wave a document in our direction... The lists themselves refuse attachments, of course, so if a list is set so that mail is automatically returned to the list it won't affect individuals. Almost all of the versions say "Look to the attachment" as a message. I'm glad you didn't open it! I did--but there was no unanswered mail in my box--and I recognized almost immediately that I'd done a dumb thing and started frantically deleting--so apparently no lasting damage, though I wound up having to delete my mail box--lost a good many messages. So to all: NEVER OPEN AN ATTACHMENT---even if it says .doc and looks like it comes from a friendly fellow lister! Karen Dale

The following is from McAfee re the virus in circulation: W32/Badtrans@MM - Help Center DESCRIPTION - What virus is this? W32/Badtrans@MM is a Medium Risk mass-mailing worm that drops a remote access Trojan. The virus arrives via email in Microsoft Outlook and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in length and uses one of the following names: Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif PAYLOAD - What can this virus do? If the attachment is opened, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the Trojan upon system startup. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\kernel32=kern32.exe Once running, the Trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the Trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.