Date: Sun, 22 Apr 2001 22:01:52 -0400
From: "George W. Durman" <georgedurman(a)home.com>
To: EUDORA-MAIL-L(a)rootsweb.com
OK, let's see if I can explain this so that everyone understands
how these latest viruses, trojans, and worms work.
Let's start with the very latest, W32/Badtrans@MM, also seen
as W32/Badtrans@M. Here are other aliases that have been
found:
Backdoor-NK.svr ,
BadTrans (F-Secure),
I-Worm.Badtrans (AVP),
W32.Badtrans.13312@mm (NAV).
There are several things about this one that need to be discussed,
how it is spread, and the danger to the infected user's computer.
1) W32/Badtrans@MM is received as a REAL attachment
(more about "real" vs. "inline" attachments later). It comes as an
actual file attachment, which is downloaded to a user's computer
into whatever directory is set up for such downloads. For
Eudora, Pegasus, and other "stand alone" email programs,
this will be something like "Downloads", "Attachments", etc.
For MS Outlook and MS Outlook Express, I'm not sure where
a separate attached file is placed.
2) A user's computer is NOT infected UNTIL he/she clicks on
the attachment and "runs" it, that is, executes it so that it does
whatever it's supposed to do.
3) Once a user clicks the attachment, it installs itself on to the
user's computer. It then does two things:
a) It propagates itself so that every time the system is rebooted,
it mails itself to the sender of EVERY UNREAD EMAIL in the user's
MS Outlook FOLDERS. Notice that I say "folders", not "folder".
That means that if you filter incoming email into various created
folders, this trojan/virus searches all of them, not just the IN BOX.
HERE'S THE REALLY DIRTY PART: The virus looks through
all those unread emails; it finds the originator of them (FROM:)
and REPLIES to the person who sent the original email. BUT,
it also attaches a copy of the infected file and mails it along
with the "reply". Thus, if John Doe sends an email to a person,
or to a Mailing List, when that email ends up on another user's
email program, and that other user is infected and hasn't read
John's email, John receives a reply containing a copy of the
virus as a separate clickable file.
HERE'S WHY USERS KEEP INSISTING THAT VIRUSES CAN
BE SPREAD BY ROOTSWEB MAILING LISTS, AND WHY
THEY THINK THE ATTACHMENT CAME THROUGH A
MAILING LIST: Let me give an example -
John Doe sends a post to the SMITH-L Mailing List. John
Doe's system is NOT infected. Every one of the 2,000+ users
of the SMITH-L Mailing List receives a copy of John's
email. One of these users, let's call him Bill Smith, has the
W32/Badtrans@MM virus on his system.
Now, Bill has a copy of John's email in his Outlook program.
He doesn't read it right away. He reboots his computer and,
when Windows restarts, the virus looks through Bill's email
in Outlook. It sends a reply to the sender of EVERY unread
email, AND attaches a copy of itself as a separate attachment.
It copies all the original headers, including those that show
the email came through SMITH-L(a)rootsweb.com.
Then John, the original sender of the email, receives a
"reply" to his email, from Bill. John looks at the email and
sees that it is a reply to his original post. He also sees
SMITH-L(a)rootsweb.com in several of the headers. As
far as he's concerned, he has received a normal reply back
through the Mailing List.
If John is a "newbie", one of two things happen:
I) He sees an attached file, with a message something like,
"Take a look to the attachment." He says to himself, "This
Bill Smith is answering my original post, AND he has sent
me an attachment which is probably a file having something
to do with information on my query." He clicks the attachment;
thus ANOTHER SMITH-L Mailing List user is infected.
or
II) He is savvy enough to know NOT to open the attachment,
BUT from the looks of the "reply" it appears that it came
back to him via the Mailing List. He screams and curses,
and says, "I knew it! I don't care what the Listowners and
the folks at Rootsweb say, these virus attachments ARE
coming through the Mailing List!" He then posts angry
posts to all the Mailing Lists to which he subscribes,
calling the Listowners and Rootsweb people liars. He
thus starts another round of uninformed posts about how
attachments CAN be passed through Mailing Lists, and
about how viruses CAN also be passed through the Lists.
In short, this virus/trojan tricks recipients of infected
email into thinking the virus is being propagated via a
Mailing List. NOT SO !!!!!
b) The other thing this virus/trojan does is this:
Once running, the trojan attempts to mail the victim's IP
Address to the author. Once this information is obtained,
the author can connect to the infected system via the Internet
and steal personal information such as usernames, and passwords.
In addition, the trojan also contains a keylogger program which is
capable of capturing other vital information such as credit card
and bank account numbers and passwords.
4) THIS IS WHY EVERY COMPUTER USER MUST HAVE
A FIREWALL ON HIS/HER COMPUTER !!!!! It doesn't matter
whether you are using a dialup modem, a cable modem, DSL,
or whatever, you NEED a firewall. A firewall is nothing more
than a small utility that prevents malicious people from entering
your system through a "back door". Once such a person has
your IP address, he/she can connect to your computer any
time your modem is connected, which is 27/7 for everyone but
those using a dialup modem. Of course, a dialup modem is
accessible only when you are actually "online".
5) So, PLEASE, let's stop this latest round of blaming Rootsweb
Mailing Lists for allowing attachments, and for propagating
viruses, trojans, worms, etc. I know that in the future, as new
users subscribe, many of them will come to the same erroneous
conclusions and start the thread all over again. They should
be politely, but firmly, advised of the true situation.
6) VERY IMPORTANT POINT: Some users insist that email
from Mailing Lists always comes as attachments. Not so!
SOME email programs, such as MS Outlook/Outlook Express
and AOL, convert ALL List email into attachments. This is
one of the most serious problems with such programs, and
causes users to think that they are receiving "real" attachments.
"REAL" attachments are FILES that are outside the body
of an email, and come along with the email as a "rider". Other
so-called "attachments" are those that contain the actual text
from the body of an email. This is especially true for those
subscribers to the Digest Mode of Lists. MS Outlook and
AOL extract the body text and put it into "attachments".
To the poster who was worried about "viruses going around
on the GEN-NEWBIE Mailing List": I hope you can see from
the above that the viruses are being sent from infected users'
computers, users who happen to be receiving email from the
List.
This point MUST be made: If any user receives an infected
email, or an infected attached file, and it appears to have
come through a Mailing List, IT DID NOT. Blame the
problems, and resulting confusion, on a virus-writer who
is a little smarter than the average gomer.
To end, here's a list of the KNOWN file-names that the
W32/Badtrans@MM virus/trojan uses:
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
So far, I have received virus attachments with the names
"README.TXT.pif" and "Sorry_about-yesterday.DOC.pif".
Anyone reading this has my permission to copy it and
repost to individuals or other Mailing Lists.
SgtGeorge
George W. Durman
VIRUS-DISCUSSION Listowner