They did the same thing to me. And after I helped them!! -----Original Message----- From: Judy Prince [SMTP:jprince@citynet.net] Sent: May 29, 2001 9:12 PM To: WOODS-L@rootsweb.com Subject: [WOODS-L] To List Administrator Several times I have gotten replies to my posts from this person. They attach a virus file. It seems very intentional. They use the name Charlie and Chris Woods and reply privately to a post. At the bottom they have a message that reads "Take a look to the attachment". I learned the hard way (down for three weeks) not to open these files but, others might not be as well educated. This is the address that it shows when I look at the properties of the message: hcjwoods@alltel.net ==== WOODS Mailing List ==== No part of these messages nor the archives file containing them may be published or redistributed in any form by a "FOR PROFIT" or commercial organization. All publication requires the permission of each message author.

Hello They are not doing this on purpose. They probably do not even know they are infected. Read up on this virus. It says when you reboot your comp it will wait 5 minutes and then send a message to all unread e-mail in their e-mail program. Here is one place to read about the virus. Be warned. Do not open an attachment you do not know is coming and not signed. Peggy To learn more about it: http://www.symantec.com/avcenter/venc/data/pf/w32.badtrans.13312@mm.html Symantec AntiVirus Research Center (SARC) W32.Badtrans.13312@mm Discovered on: April 11, 2001 Last Updated on: April 16, 2001 at 09:32:39 AM PDT W32.Badtrans.13312@mm is a MAPI worm that replies to all unread mails in your email message folders, and drops a backdoor Trojan. Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans, I-Worm.Badtrans, TROJ_BADTRANS.A Category: Worm Infection Length: 13312 Virus Definitions: April 11, 2001 Threat Assessment: Payload: Large scale e-mailing: It replies to all unread messages in the message folders within the default MAPI email program. Compromises security settings: It drops a backdoor Trojan. Technical description: When the worm is executed, it drops the backdoor Trojan Hkk32.exe in the \Windows folder, and then executes it. It then copies itself into the Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays the following message: (An error box pops up and it say's .... INSTALL ERROR probable due to bad data transmission...) The next time that the computer is rebooted, the worm will wait for 5 minutes, then it will use MAPI to find all unread email messages and reply to all of them. The worm will attach itself to the email, using one of the following file names: Pics.ZIP.scr images.pif README.TXT.pif New_Napster_Site.DOC.scr news_doc.scr hamster.ZIP.scr YOU_are_FAT!.TXT.pif searchURL.scr SETUP.pif Card.pif Me_nude.AVI.pif Sorry_about_yesterday.DOC.pif s3msong.MP3.pif docs.scr Humor.TXT.pif fun.pif Removal instructions: To remove this worm: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files. 3. Delete any files detected as W32.Badtrans.13312@mm. 4. Click Start, and click Run. 5. Type sysedit and then click OK. 6. Click the title bar of the Win.ini file. 7. In the [windows] section, locate the run= line. It will look similar to the following: run=c:\windows\inetd.exe 8. Remove the text to the right of the = sign, so that the line now reads: run= 9. Save your changes and exit the System Configuration Editor.