I never send out virus warnings and alerts - sorry Dawn - but already this
morning I have received several e-mails with this virus attached all sent to
my new email addy. I have no idea how many are infected or where the virus
came from. I know for a fact that most of the email lists I belong to do not
allow attachments, but if someone on the list has the virus, this one will
send itself out to everyone in their addy book and also attempt to reply to
any unanswered emails.
Below is the information on this virus and how to get rid of it. PLEASE
NOTE!!!! when you attempt to open the attachment you will get an error
message that says: "File data corrupt: probably due to a bad data
transmission or bad disk access." Despite your feelings otherwise, YOU ARE
NOW INFECTED!
Pauli
http://www.mcafee.com/anti-virus/viruses/badtrans/?cid=2208
W32/Badtrans@MM Help Center
DESCRIPTION - What virus is this?
W32/Badtrans@MM is a Medium Risk mass-mailing worm that drops a remote
access Trojan. The virus arrives via email in Microsoft Outlook and attempts
to send itself by replying to unread email messages. The email may contain
the text "Take a look to the attachment" in the message body and will
contain an attachment that is 13,312 bytes in length and uses one of the
following names:
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
PAYLOAD - What can this virus do?
If the attachment is opened, the worm displays a message box entitled,
"Install error" which reads, "File data corrupt: probably due to a bad
data
transmission or bad disk access." A copy is saved into the WINDOWS directory
as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE
at startup. KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid
keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry
entry is created to load the Trojan upon system startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Once running, the Trojan attempts to mail the victim's IP Address to the
author. Once this information is obtained, the author can connect to the
infected system via the Internet and steal personal information such as
usernames, and passwords. In addition, the Trojan also contains a keylogger
program which is capable of capturing other vital information such as credit
card and bank account numbers and passwords.