Below you will find the link for the Symantec site that explains the
BadTrans virus that's been hitting all the subscribers. Keep in mind,
PLEASE that this is NOT going through the Rootsweb lists. It is ONLY
hitting the subscribers because it takes it's target addresses from the
computer of those that ARE infected. It has only that connection with the
mailing lists.
Below, thanks to Jeff, I have a copy of what is on the site, but please go
there yourself......you will find basically the same thing, but I want you
to be SURE that this is for REAL!!
Please update your antivirus program, and run a scan. Anyone who is
infected I'm unsubbing until I have confirmation back that they have rid
their system of the virus. I'm sorry, but it's the best way I can deal with
it. The lists are full of these.......all of them! :( The virus uses
addresses found on the infected person's machine to send attachments to
others to infect them.......thus the reason for my move of unsubbing
people. Just trying to protect other list members.
Go to the following site and follow the directions to eliminate the virus
from your system, please.
This is the address on the Symantec site that tells about the virus and how
to get rid of it:
http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
If you can't go to a sub page, (some programs like AOL won't let you) try
this address:
http://www.symantec.com/avcenter/
The particular virus is the top one listed on the page
Thanks!
Mari
List Admin
READ ON PLEASE:
W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 26, 2001 at 12:46:58 PM PST
Printer-friendly version Tell a Friend
Due to the increased rate of submissions, we have updated the threat level
of this worm from level 3 to level 4. W32.Badtrans.B@mm is a MAPI worm that
emails itself out as one of several different file names. This worm also
creates a DLL in \Windows\System directory as Kdll.dll. It uses functions
from this DLL to log keystrokes.
Type: Worm Virus Definitions: November 24, 2001 Threat Assessment:
Wild:
High Damage:
Low Distribution:
High
Wild:
Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy Damage:
Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.
Technical description:
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the
"\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel3
2=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the
names listed above. Any email that has such an attachment should be deleted.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.
Go to REGEDIT in the START>RUN command.
open HKEY_LOCAL_MACHINE
open \SOFTWARE
open\Microsoft\
open Windows\
open CurrentVersion\
open RunOnce\
DELETE the file called "Kernel32=kernel32.exe".