-Caveat Lector- http://messagelabs.com/viruseye/
>>>Note: I added the Syamantec information at the end as this is the one I use. So far so good and the system will automatically look for updates. This may be the case with others as well (I've used most) but this one seems to be the most user friendly. This is an adjunct to the Net Security program. A<>E<>R<<< From http://www.wired.com/news/print/0,1294,48613,00.html >>>Embedded linques throughout @ site<<< }}}>Begin New Worm Replaces Sircam as No. 1 By Michelle Delio 7:11 a.m. Nov. 26, 2001 PST Yet another worm that takes advantage of an old and well-known vulnerability in Microsoft software is on the loose. The worm, dubbed "BadTrans.B" by antiviral application vendors, installs a piece of spy software on infected computers. This program attempts to record and relay private information such as user names and passwords to an e-mail address that is presumably accessible to the worm's author. Most of the major antiviral application companies ranked the worm as a moderate to high threat on Monday morning. MessageLabs' virus activity tracking indicates that BadTrans.B is being transmitted at about 100 copies per minute. See also: Nimda Lives; What a Concept Scary Hybrid Internet Worm Loose SirCam: The Worm That Won't Die SirCam Ready to Drop Payload Read more Technology news Infostructure strengthens your backbone BadTrans.B even knocked the worm that just won't die, SirCam, from its first-place post on MessageLabs' tracking list on Sunday afternoon. SirCam had reigned for four months as the most prevalent computer virus. "BadTrans.B is propagating as quickly as any virus we have ever seen, and has replaced SirCam as the most virulent virus in the wild," Mark Sunner, chief technology officer at MessageLabs, said. But some antiviral vendors said that it hasn't yet reached the saturation levels of other worms that wiggled across the Internet this year. "Although BadTrans.B seems to be out there in significant numbers, it does not at the moment seem to be spreading as fast as Nimda, Kournikova or the Love Bug," Graham Cluley, senior technology consultant at Sophos Anti-Virus, said. "Calls to our technical support department are simply not coming in as quickly as they did with those earlier virus incidents." The worm can infect computers running Microsoft's Windows operating systems and unpatched versions of Outlook, and is aimed at slackers who haven't stayed current with Microsoft's cavalcade of patches. BadTrans.B is a retooled version of a worm that was first released in April. The new version has been reworked to exploit a known Microsoft vulnerability, which was also used by the Nimda worm, so that BadTrans.B may now be able to spread more effectively. BadTrans.B exploits a previously patched hole in Microsoft's Outlook e-mail program, allowing the virus code to be executed simply by clicking to open and read an infected e-mail in Microsoft Outlook. It is not necessary to double click on an attachment, which may not even be visible to the user, to launch the malicious code. Cluley said that once the virus is active on a system, BadTrans.B will e-mail itself to addresses contained in e-mail address books, Web cache and the "My Documents" folder. If the virus sends itself to an e-mail address found on the hard drive rather than in the address book, then it will simply use the subject line "Re:". If sent to an address culled from Outlook's address book, then the worm will generate a subject line by "reading" e-mail on the infected machine and "replying" to it, using the same subject line, thus "lulling the recipient into a false sense of security," Cluley said. BadTrans.B also randomly generates a file name for the infected attachment, using a variety of different phrases. Once active on a system, BadTrans.B activates a Trojan horse program that will attempt to monitor the infected system and record user names, passwords and other sensitive data and forward them to a designated e-mail address on free e-mail service MailandNews.com. "The fact that BadTrans.B can log private details through keystrokes has huge implications for personal and corporate confidentiality, and underlines the recent advances in virus-writing techniques," Sunner said. Whether the e-mail address that the private information is relayed to belongs to the worm's author is still unknown, Cluley and Sunner said. E-mails sent to the address have neither bounced back nor netted a reply from a recipient. The MailandNews service did not immediately reply to inquiries. Antiviral companies such as Symantec and McAfee have posted removal information for the worm. Related Wired Links: E-Mail Virus Slams Muslim Group Nov. 15, 2001 Nimda Lives; What a Concept Nov. 9, 2001 IE Bug Can Lead to Strange Search Nov. 7, 2001 SirCam Ready to Drop Payload Oct. 12, 2001 Snooping Isn't E-Mail Delay Cause Sep. 25, 2001 Infected DSL Users Get 86ed Sep. 21, 2001 Scary Hybrid Internet Worm Loose Sep. 18, 2001 License PC Users? It's a Thought Aug. 16, 2001 SirCam: The Worm That Won't Die Aug. 16, 2001 The Man Who Debunks Virus Myths Aug. 6, 2001 >From Code Red to Code Dread Aug. 1, 2001 In Order to Have Your Advice July 27, 2001 Copyright � 1994-2001 Wired Digital Inc. All rights reserved. End<{{{ From http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b @mm.html }}}>Begin W32.Badtrans.B@mm Discovered on: November 24, 2001 Last Updated on: November 24, 2001 at 12:19:48 PM PST Printer-friendly version Tell a Friend W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes. Type: Worm Virus Definitions: November 24, 2001 Threat Assessment: Wild: Medium Damage: Low Distribution: High Wild: Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy Damage: Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program. Compromises security settings: Installs keystroke logging Trojan. Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc. When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\K ernel32=kernel32.exe. Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above. Write-up by: Patrick Martin End<{{{ ~~~~~~~~~~~~~~~ Forwarded as information only; no endorsement to be presumed + + + + + + + + + + + + + + + + + + + + + + + + + + + + In accordance with Title 17 U.S.C. section 107, this material is distributed without charge or profit to those who have expressed a prior interest in receiving this type of information for non-profit research and educational purposes only. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The only real voyage of discovery consists not in seeking new landscapes but in having new eyes. -Marcel Proust + + + + + + + + + + + + + + + + + + + + + + + + + + + + "Do not believe in anything simply because you have heard it. Do not believe simply because it has been handed down for many generations. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is written in Holy Scriptures. Do not believe in anything merely on the authority of Teachers, elders or wise men. Believe only after careful observation and analysis, when you find that it agrees with reason and is conducive to the good and benefit of one and all. Then accept it and live up to it." The Buddha on Belief, from the Kalama Sutta + + + + + + + + + + + + + + + + + + + + + + + + + + + + A merely fallen enemy may rise again, but the reconciled one is truly vanquished. -Johann Christoph Schiller, German Writer (1759-1805) + + + + + + + + + + + + + + + + + + + + + + + + + + + + It is preoccupation with possessions, more than anything else, that prevents us from living freely and nobly. -Bertrand Russell + + + + + + + + + + + + + + + + + + + + + + + + + + + + "Everyone has the right...to seek, receive and impart information and ideas through any media and regardless of frontiers." Universal Declaration of Human Rights + + + + + + + + + + + + + + + + + + + + + + + + + + + + "Always do sober what you said you'd do drunk. That will teach you to keep your mouth shut." --- Ernest Hemingway <A HREF="http://www.ctrl.org/";>www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, mis- directions and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
