I got one of these just a bit ago. Please read and be very careful of
attachments. This one tried to open itself, but I cancelled it and deleted
the e-mail.
---------------------------------------
Well, it's that time again...
Symantec Security Response
http://securityresponse.symantec.com
W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 24, 2001 at 12:19:48 PM PST
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several
different file names. This worm also drops a backdoor trojan that logs
keystrokes.
Type: Worm
Virus Definitions: November 24, 2001
Threat Assessment:
Wild:
Medium Damage:
Low Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Sends email from addresses found in the default MAPI
program.
Compromises security settings: Installs keystroke logging Trojan.
Technical description:
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the
following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the
"\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel3
2=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the
names listed above. Any email that has such an attachment should be deleted.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.
Write-up by: Patrick Martin
I have gotten a literal ton of e-mails with this virus. No matter how many
times you say it people just don't listen. DO NOT OPEN ATTACHMENTS!!!!
DUH!!!!!
Patrick