From another mailing list mom:
In addition to the info below, I read in another announcement message
that the real file name may be masked by having 59 spaces before the
extension. Also, the file size of the message will be about 30K -- a
couple of things to look for, since this one appears to come from
people you know (you're in their address books).
http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of
several different file names. This worm also drops a backdoor trojan
that logs keystrokes.
Type: Worm
Virus Definitions: November 24, 2001
Threat Assessment:
Wild: Medium
Damage: Low
Distribution: High
Damage:
Payload: Large scale e-mailing: Sends email from addresses
found in the default MAPI program. Compromises security settings:
Installs keystroke logging Trojan.
Technical description:
This worm arrives as an email with one of several attachment
names and a combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the
following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the
"\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the
names listed above. Any email that has such an attachment should be
deleted.
--
Peggy
<'}}}}><
Patriotic Tribute
http://www.geocities.com/honnoll_honnell/WTC.html
Honnoll
http://www.geocities.com/honnoll_honnell/index.html
Winton
http://www.geocities.com/mawpeggy1946/index.html