Just FYI for all the list subscribers... as always, NEVER open an attachment
you receive via email that you are not expecting and even then, scan before
opening! The problem with the virus mentioned below is that SOME computers
(which aren't patched properly) can execute it without the user's knowledge.
Please, everyone, update your virus software TODAY and scan for this
virus... As always, you CANNOT recieve this virus from the Rootsweb list
itself, but you might receive it directly from an infected person's computer
if they have an email you have sent in the past. While this subject is
off-topic (and therefore NOT to be discussed on the list...) it is a serious
enough threat to warrant passing on to everyone. As always, if you wish to
discuss this or other "warnings" you have received, please address them to
me personally at christib(a)satx.rr.com and don't send them to the list.
Thanks!
Christi
Any family tree produces some lemons, some nuts and a few bad apples
Visit our homepage:
http://christi.is.dreaming.org
Visit our genealogy pages:
http://genealogy.webhop.org
Beware Badtrans.B
By Robert Vamosi, ZDNet Reviews
November 26, 2001 10:24 AM PT
URL:
http://www.zdnet.com/products/stories/reviews/0,4161,2825280,00.html
A revised version of the Badtrans worm from April 2001 is loose on the
Internet. Badtrans.B behaves in a similar manner to the original, loading a
password-stealing Trojan horse that can log keystrokes and reveal password
and credit card information to malicious users. However, this version uses a
vulnerability in Internet Explorer that automatically opens the e-mail
attachments when previewed. Reports from all over the world state that this
worm is spreading. Because the worm sends e-mail and automatically executes
on some computers, Badtrans.B ranks a 6 on the ZDNet Virus Meter.
How it works
Badtrans.B arrives as e-mail. It replies to old e-mail, so the subject line
is one that someone has already sent you, so you might be inclined to open
it. The e-mail message itself is empty. Badtrans.B includes an attached file
whose name is created from the following list:
FUN
HUMOR
DOCS
S3MSONG
Sorry_about_yesterday
ME_NUDE
CARD
SETUP
SEARCHURL
YOU_ARE_FAT!
HAMSTER NEWS_DOC
New_Napster_Site
README
IMAGES
PICS
The attachment is a DOC, MP3, or ZIP file, with a second extension of either
SCR or PIF. For example, an attached file might be named Readme.doc.scr.
Users need not open the attached file to infect their machines. Badtrans
uses a known vulnerability in Internet Explorer that automatically opens
attachments. In this case, the attached file contains Troj.PWS-AV, a
password-stealing Trojan horse. Troj.PWS-AV records all keystrokes and the
application name where a keystroke was typed, storing it in encrypted form.
The Trojan then connects to a SMTP server to send the log file to a Hotmail
e-mail address.
Prevention
Badtrans.B uses a known vulnerability in Outlook Express that is included in
Internet Explorer 5.01 and 5.5. Microsoft has released a patch. Users who
have not loaded the patch are encouraged to do so or to upgrade to Internet
Explorer 6.
Removal
Most antivirus software companies have updated their signature files to
include this worm. For more information on removing this worm from your
system, see Central Command, F-Secure, Kaspersky,McAfee, Sophos, Symantec,
or Trend Micro.
Symantec's website:
http://www.sarc.com
McAfee's website:
http://www.mcafee.com