This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
The forwarded message appeared on Rootsweb's Virus Discussion List.
Because it contains some important information about Badtrans, I am
sending it to our subscribers. Every computer which has an active
E-Mail program should be equipped with an anti-virus program. If you
are a DSL subscriber, you should also have a firewall in place. Mine
is ZoneAlarm; a free version is available. I also use InnoculateIT,
and a free version of this program is also available. Those who have a
virus need to clean their machines promptly - visit one of the
antivirus web sites for instructions. It will be best to unsub those
subscribers who contract viruses until their machines are cleaned.
Received: from mta1.rcsntx.swbell.net
(Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9)
with ESMTP id <0GC800E8JMNFNV(a)sims1.rcsntx.swbell.net>; Mon,
23 Apr 2001 04:06:51 -0500 (CDT)
Received: from lists3.rootsweb.com
([184.108.40.206]) by mta1.rcsntx.swbell.net
(Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9)
with ESMTP id <0GC8001XNMHY8I(a)mta1.rcsntx.swbell.net>; Mon,
23 Apr 2001 04:03:35 -0500 (CDT)
Received: (from slist@localhost) by lists3.rootsweb.com
id f3N91MJ01380; Mon, 23 Apr 2001 03:01:22 -0600
Resent-date: Mon, 23 Apr 2001 03:01:22 -0600
Date: Sun, 22 Apr 2001 22:01:52 -0400
From: "George W. Durman" <georgedurman(a)home.com>
Subject: [VIRUS] FROM VIRUS-DISCUSSION LISTOWNER - EVERYONE PLEASE READ !!!!!
(Was: RootsWeb can not transmit attachments)
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Content-type: text/plain; charset="us-ascii"; format=flowed
X-Original-Sender: georgedurman(a)home.com Mon Apr 23 03:01:19 2001
Old-Cc: EUDORA-MAIL-L(a)rootsweb.com, COMPUTERS-L(a)computers.rootsweb.com,
X-Mailing-List: <VIRUS-DISCUSSION-L(a)rootsweb.com> archive/latest/3046
OK, let's see if I can explain this so that everyone understands
how these latest viruses, trojans, and worms work.
Let's start with the very latest, W32/Badtrans@MM, also seen
as W32/Badtrans@M. Here are other aliases that have been
There are several things about this one that need to be discussed,
how it is spread, and the danger to the infected user's computer.
1) W32/Badtrans@MM is received as a REAL attachment
(more about "real" vs. "inline" attachments later). It comes as an
actual file attachment, which is downloaded to a user's computer
into whatever directory is set up for such downloads. For
Eudora, Pegasus, and other "stand alone" email programs,
this will be something like "Downloads", "Attachments", etc.
For MS Outlook and MS Outlook Express, I'm not sure where
a separate attached file is placed.
2) A user's computer is NOT infected UNTIL he/she clicks on
the attachment and "runs" it, that is, executes it so that it does
whatever it's supposed to do.
3) Once a user clicks the attachment, it installs itself on to the
user's computer. It then does two things:
a) It propagates itself so that every time the system is rebooted,
it mails itself to the sender of EVERY UNREAD EMAIL in the user's
MS Outlook FOLDERS. Notice that I say "folders", not "folder".
That means that if you filter incoming email into various created
folders, this trojan/virus searches all of them, not just the IN BOX.
HERE'S THE REALLY DIRTY PART: The virus looks through
all those unread emails; it finds the originator of them (FROM:)
and REPLIES to the person who sent the original email. BUT,
it also attaches a copy of the infected file and mails it along
with the "reply". Thus, if John Doe sends an email to a person,
or to a Mailing List, when that email ends up on another user's
email program, and that other user is infected and hasn't read
John's email, John receives a reply containing a copy of the
virus as a separate clickable file.
HERE'S WHY USERS KEEP INSISTING THAT VIRUSES CAN
BE SPREAD BY ROOTSWEB MAILING LISTS, AND WHY
THEY THINK THE ATTACHMENT CAME THROUGH A
MAILING LIST: Let me give an example -
John Doe sends a post to the SMITH-L Mailing List. John
Doe's system is NOT infected. Every one of the 2,000+ users
of the SMITH-L Mailing List receives a copy of John's
email. One of these users, let's call him Bill Smith, has the
W32/Badtrans@MM virus on his system.
Now, Bill has a copy of John's email in his Outlook program.
He doesn't read it right away. He reboots his computer and,
when Windows restarts, the virus looks through Bill's email
in Outlook. It sends a reply to the sender of EVERY unread
email, AND attaches a copy of itself as a separate attachment.
It copies all the original headers, including those that show
the email came through SMITH-L(a)rootsweb.com.
Then John, the original sender of the email, receives a
"reply" to his email, from Bill. John looks at the email and
sees that it is a reply to his original post. He also sees
SMITH-L(a)rootsweb.com in several of the headers. As
far as he's concerned, he has received a normal reply back
through the Mailing List.
If John is a "newbie", one of two things happen:
I) He sees an attached file, with a message something like,
"Take a look to the attachment." He says to himself, "This
Bill Smith is answering my original post, AND he has sent
me an attachment which is probably a file having something
to do with information on my query." He clicks the attachment;
thus ANOTHER SMITH-L Mailing List user is infected.
II) He is savvy enough to know NOT to open the attachment,
BUT from the looks of the "reply" it appears that it came
back to him via the Mailing List. He screams and curses,
and says, "I knew it! I don't care what the Listowners and
the folks at Rootsweb say, these virus attachments ARE
coming through the Mailing List!" He then posts angry
posts to all the Mailing Lists to which he subscribes,
calling the Listowners and Rootsweb people liars. He
thus starts another round of uninformed posts about how
attachments CAN be passed through Mailing Lists, and
about how viruses CAN also be passed through the Lists.
In short, this virus/trojan tricks recipients of infected
email into thinking the virus is being propagated via a
Mailing List. NOT SO !!!!!
b) The other thing this virus/trojan does is this:
Once running, the trojan attempts to mail the victim's IP
Address to the author. Once this information is obtained,
the author can connect to the infected system via the Internet
and steal personal information such as usernames, and passwords.
In addition, the trojan also contains a keylogger program which is
capable of capturing other vital information such as credit card
and bank account numbers and passwords.
4) THIS IS WHY EVERY COMPUTER USER MUST HAVE
A FIREWALL ON HIS/HER COMPUTER !!!!! It doesn't matter
whether you are using a dialup modem, a cable modem, DSL,
or whatever, you NEED a firewall. A firewall is nothing more
than a small utility that prevents malicious people from entering
your system through a "back door". Once such a person has
your IP address, he/she can connect to your computer any
time your modem is connected, which is 27/7 for everyone but
those using a dialup modem. Of course, a dialup modem is
accessible only when you are actually "online".
5) So, PLEASE, let's stop this latest round of blaming Rootsweb
Mailing Lists for allowing attachments, and for propagating
viruses, trojans, worms, etc. I know that in the future, as new
users subscribe, many of them will come to the same erroneous
conclusions and start the thread all over again. They should
be politely, but firmly, advised of the true situation.
6) VERY IMPORTANT POINT: Some users insist that email
from Mailing Lists always comes as attachments. Not so!
SOME email programs, such as MS Outlook/Outlook Express
and AOL, convert ALL List email into attachments. This is
one of the most serious problems with such programs, and
causes users to think that they are receiving "real" attachments.
"REAL" attachments are FILES that are outside the body
of an email, and come along with the email as a "rider". Other
so-called "attachments" are those that contain the actual text
from the body of an email. This is especially true for those
subscribers to the Digest Mode of Lists. MS Outlook and
AOL extract the body text and put it into "attachments".
To the poster who was worried about "viruses going around
on the GEN-NEWBIE Mailing List": I hope you can see from
the above that the viruses are being sent from infected users'
computers, users who happen to be receiving email from the
This point MUST be made: If any user receives an infected
email, or an infected attached file, and it appears to have
come through a Mailing List, IT DID NOT. Blame the
problems, and resulting confusion, on a virus-writer who
is a little smarter than the average gomer.
To end, here's a list of the KNOWN file-names that the
W32/Badtrans@MM virus/trojan uses:
So far, I have received virus attachments with the names
"README.TXT.pif" and "Sorry_about-yesterday.DOC.pif".
Anyone reading this has my permission to copy it and
repost to individuals or other Mailing Lists.
George W. Durman
At 10:17 AM 04/22/2001, Richard D. Reddick wrote:
*********START OF ORIGINAL MESSAGE TEXT*********
Okay, enough already -
I have never experienced a virus sent through RootsWeb! Am
on many RW forums/lists, manage several. Has something
changed recently? Originally RootsWeb system could not
transmit attachments. What's up? Others send or the worm
sends such attachments, when you dig into the properties and
encoding what you find is the message with that suspect
attachment did not originate or come through RootsWeb! Period.
St. George, this is still correct, right?
How your new email software handles things may be suspect as
well. Ignorance is never a reason to slander, but it is okay to ask
From: Doris McGlone <dmcglone(a)juno.com>
Subject: [GenHumor-L] Re: Virus?
All of my mail from rootsweb lists come as attachments. Does
that mean I shouldn't open them? This is scary. The Gen-Newbie
list has had a lot of viruses going around also. I'm about to unsub
**********END OF ORIGINAL MESSAGE TEXT**********
==== VIRUS-DISCUSSION Mailing List ====
To contact the Listowner, send to: