To all Champagne List Members, be on alert!
As many Rootsweb mail list subscribers know, it is impossible to receive an
attachment born virus from Rootsweb because the list servers at Rootsweb
remove all attachments before sending a posting onto a list.
Nonetheless, some of the larger Rootsweb lists are currently having
problems due a new virus called W32 Bad Trans, which is spread subscriber
to subscriber in a new and novel way. This virus and its variants are of
special concern to list subscribers.
This virus targets users of Outlook email programs, and rather than send a
copy of the virus to all the email addresses in the address book as in
past, it sends a virus to all the email addresses that are in unopened
email in the Inbox.
For example, if subscriber A posts to a list and subscriber B has an
infected computer, subscriber A will get a virus induced response from
subscriber B that will contain a virus in the attachment. More worrisome,
is that subscriber A anticipating a response may eagerly open the
attachment only
to find a virus that now infects their machine and the process of a
widening infection continues.
I know some subscribers are on many lists and it is a special hazard for
them. Needless to say you will want to make doubly sure your virus
protection software is updated and be especially careful when opening
attachments. I may temporarily unsubscribe infected machines to prevent
further spread
if necessary.
McAfee has issued the following information on this virus.
McAfee - AVERT
Profile
Virus Name Risk Assessment
W32/Badtrans@MM Low
Virus Characteristics
This mass mailing worm attempts to send itself
using
Microsoft Outlook by replying to unread email
messages.
It also drops a remote access trojan (detected as
Backdoor-NK.svr with the 4134 DATs; detected
heuristically as New Backdoor prior to the 4134 DAT
release).
When run, the worm displays a message box entitled,
"Install error" which reads, "File data corrupt:
probably due to a bad data transmission or bad disk
access." A copy is saved into the WINDOWS directory
as
INETD.EXE and an entry is entered into the WIN.INI
file
to run INETD.EXE at startup. KERN32.EXE (a backdoor
trojan), and HKSDLL.DLL (a valid keylogger DLL) are
written to the WINDOWS SYSTEM directory, and a
registry
entry is created to load the trojan upon system
startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Once running, the trojan attempts to mail the
victim's
IP Address to the author. Once this information is
obtained, the author can connect to the infected
system
via the Internet and steal personal information
such as
usernames, and passwords. In addition, the trojan
also
contains a keylogger program which is capable of
capturing other vital information such as credit
card
and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts
to
email itself by replying to unread messages in
Microsoft
Outlook folders. The worm will be attached to these
messages using one of the following filenames (note
that
some of these filenames are also associated with
other
threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this
worm
(10,623 bytes) on April 11 from a company in New
Zealand. The file size of that sample is
(c) 2001, Network Associates, Inc. and its affiliated Companies. All
Rights
Reserved.
Lynn- List Admin
Champagne List