computer virusgreenspun.com : LUSENET : Country Families : One Thread |
Just got this computer virus warning from my isp. Badtrans-virus. More info at www.sophos.com/virusinfo/analyses./w32badtransb.html comes as attachments to email==sometimes using legit email addresses. don't know if this is just in Canada or not at this point. Be careful. Tomas
-- Tomas (bakerzee@hotmail.com), November 27, 2001
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.Type: Worm
Virus Definitions: November 24, 2001
Threat Assessment:
Wild: Medium Damage: Low Distribution: High
Wild:
Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy
Damage:
Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program. Compromises security settings: Installs keystroke logging Trojan.
Technical description:
This worm arrives as an email with one of several attachment names and a combination of two appended extensions.
The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS
The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP
The second extension that is appended to the file name is one of the following: .pif .scr
The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc.
When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\K ernel32=kernel32.exe.
Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above.
MORE INFO for those infected: http://www.wired.com/news/technology/0,1282,48613,00.html
-- anonymouse (bugreaper@nobugs.net), November 28, 2001.