Computer Virus

[Charles]

Scorpion Ribs have been infected by the WORM_BADTRANS.B virus. If you receive an e-mail from them and you are not expecting any, DELETE it immediately. They are aware of the problem, so do not phone them about it.

[MarkWildey]

Here is a write up on the BadTrans virus. The virus scanning software described below is based on Norton Anti-Viurs.

Regards

Mark


W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 26, 2001 at 12:46:58 PM PST


Printer-friendly version Tell a Friend

Due to the increased rate of submissions, we have updated the threat level of this worm from level 3 to level 4.

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also creates a DLL in \Windows\System directory as Kdll.dll. It uses functions from this DLL to log keystrokes.


Type: Worm

Virus Definitions: November 24, 2001

Threat Assessment:


Wild:
High Damage:
Low Distribution:
High


Wild:

Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:

Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS

The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP

The second extension that is appended to the file name is one of the following:
.pif
.scr

The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe.

Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.



Removal instructions:



1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.

[nickfarmer]

Funnily enough I just got one from them and Norton anti virus picked it up.

It seems as though this virus is quite virulent at the moment.

Nick

[John Kennett]

According to Symantec this was first reported on the 24th, so it's getting round rather quickly. I've received it from three people already!

As it's so new, it has obviously caught out people who haven't kept their antivirus software bang up to date. Updates should be done at least once a week, preferably more frequently.

If you need an easy to update antivirus program here are a couple that are worth considering:

EZ Antivirus
PC-cillin

John