Thread Tools Search this Thread
Old 26 November 2001, 12:43   #1
Country: Other
Make: FB 55
Length: 10m +
Join Date: May 2001
Posts: 1,711
Computer Virus

Scorpion Ribs have been infected by the WORM_BADTRANS.B virus. If you receive an e-mail from them and you are not expecting any, DELETE it immediately. They are aware of the problem, so do not phone them about it.

Charles is offline   Reply With Quote
Old 27 November 2001, 04:09   #2
Country: UK - England
Town: Poole
Length: no boat
Join Date: Jul 2001
Posts: 673
Here is a write up on the BadTrans virus. The virus scanning software described below is based on Norton Anti-Viurs.



Discovered on: November 24, 2001
Last Updated on: November 26, 2001 at 12:46:58 PM PST

Printer-friendly version Tell a Friend

Due to the increased rate of submissions, we have updated the threat level of this worm from level 3 to level 4.

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also creates a DLL in \Windows\System directory as Kdll.dll. It uses functions from this DLL to log keystrokes.

Type: Worm

Virus Definitions: November 24, 2001

Threat Assessment:

High Damage:
Low Distribution:


Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:

The first extension that is appended to the file name is one of the following:

The second extension that is appended to the file name is one of the following:

The resulting file name would look something like this:

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe.

Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.

Removal instructions:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.

MarkWildey is offline   Reply With Quote
Old 27 November 2001, 04:26   #3
Country: UK - England
Town: Kingsbridge
Join Date: Jul 2001
Posts: 26
Funnily enough I just got one from them and Norton anti virus picked it up.

It seems as though this virus is quite virulent at the moment.

nickfarmer is offline   Reply With Quote
Old 27 November 2001, 05:17   #4
John Kennett's Avatar
Country: UK - England
Town: Brighton
Length: 3m +
Join Date: May 2000
Posts: 7,026
According to Symantec this was first reported on the 24th, so it's getting round rather quickly. I've received it from three people already!

As it's so new, it has obviously caught out people who haven't kept their antivirus software bang up to date. Updates should be done at least once a week, preferably more frequently.

If you need an easy to update antivirus program here are a couple that are worth considering:

EZ Antivirus

John Kennett is offline   Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

All times are GMT -5. The time now is 06:11.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2021, vBulletin Solutions, Inc.