NAV has been whacking it for a couple of weeks. If it makes it through there are some manual removal things that must be done. FYI Matt ----- Original Message ----- From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "MS-Exchange Admin Issues" <[EMAIL PROTECTED]> Sent: Monday, November 26, 2001 5:47 AM Subject: FW: Alert: W32/BadTrans.B-mm
> FYI. > Trend is covering it in 170/970 and higher > > -----Original Message----- > From: Windows NTBugtraq Mailing List > [mailto:[EMAIL PROTECTED]] On Behalf Of Russ > Sent: Sunday, November 25, 2001 7:08 PM > To: [EMAIL PROTECTED] > Subject: Alert: W32/BadTrans.B-mm > > > We saw this rising on Friday and today found out that MessageLabs is > seeing 400 copies/hour over the weekend (which is extremely high volume > of infected messages given it was the weekend); > > http://www.messagelabs.com/viruseye/report.asp?id=86 > > We've talked about the potential of this delivery mechanism on NTBugtraq > several times, but tomorrow those of you who manage email servers are > likely going to find numerous copies in your mail stores (or user's > inboxes). > > This thing exploits a vulnerability in some versions of Internet > Explorer (see below) that was first fixed back on March of this year. > The way these versions of IE handled certain MIME types allowed files to > be delivered that would automatically execute when the email was opened > (when using Outlook) or rendered in the Preview Pane (when using Outlook > Express). It was subsequently used by Nimda in two of its propagation > mechanisms (it used .eml and .nws files via HTML to delivery the MIME > header, and also mass mailed messages formed specifically to exploit > this vulnerability). > > TruSecure's analysis of this over the weekend leads us to believe that a > great many people must not have applied the patch, or other packages > that deliver the patch. This should be considered carefully by anyone > who thinks there's a reasonable amount of time within which people apply > such patches, we're talking more than 6 months and 4 packages that > contained the fix for each affected version, yet we still seem to be > seeing this thing get considerable legs. > > Although this is a BadTrans variant, it has been repackaged (compressed) > and as such probably requires an AV update to be detected. Most AV > Vendors should have updates available by the time you read this, check > with them. Ultimately the message comes with a MIME Content Type of > "audio/x-wav", and a double extension (.doc.scr) ending in .scr or .pif. > The attachment itself is a Win32 executable. > > If executed it will mass-mail itself, probably as replies to unread > messages in your inbox. NTBugtraq posters may have already received some > in response to their list messages (I have). > > See your AV Vendor for more details. > > That done, take a minute to review the possible IE patch mechanisms > described below. We predicted, when this vulnerability was first > discovered, that this was going to be heavily exploited. Nimda's email > component didn't seem to work very well, still unclear precisely why, > but its web browser propagation certainly seemed effective. Now this > BadTrans variant, and we will likely see more. > > If you cannot get your browsers to one of the unaffected versions for > some reason other than time/manpower, drop me a note and let me know > why. I'd like to understand what's preventing this vulnerability from > going away. > > Notes: > Microsoft Outlook Email Security Update, and Outlook 2002, can be > configured to prevent email attachments from arriving in user's inbox. > > IE Version Information: > > Vulnerability being exploited is described under; > > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > (read the following before applying the patch in MS01-020) > > IE 4.x's status is unknown, probably *not* vulnerable > > IE 5.01 prior to SP2 is vulnerable > IE 5.01 SP2 is *not* vulnerable > > IE 5.5 prior to SP2 is vulnerable > IE 5.5 SP2 and above is *not* vulnerable > > IE 6.0 is *not* vulnerable (see IE 6.0 caveat) > > IE 6.0 Caveat: > Customers who are using Windows 95, 98, 98SE or ME, and choose to > eliminate this vulnerability by upgrading from an affected version to IE > 6 should ensure that they either perform a Full Install or Typical > Install, as discussed in the FAQ. > > Anyone who is going to apply a patch to their system to address this > vulnerability now should follow these guidelines, if possible; > > 1. Upgrade to IE 6.0 (see IE 6.0 caveat above) > http://www.microsoft.com/windows/ie/downloads/ie6/default.asp > > or > > 2. Apply latest IE Service Pack for their version (this eliminates the > vulnerability) > > IE 5.01 SP2 > http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/defau > lt.a > sp > IE 5.5 SP2 > http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/defaul > t.as > p > > then > > Apply MS01-055 > http://www.microsoft.com/technet/security/bulletin/MS01-055.asp > > or > > 3. Apply MS01-027 > http://www.microsoft.com/technet/security/bulletin/MS01-027.asp > > (Note: MS01-027 supercedes MS01-020 and addresses the same > vulnerabilities, plus additional vulnerabilities discovered after > MS01-020) > > (Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to > SP2 for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install > and not apply MS01-027) > > or > > 4. Apply MS01-020 > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > (Note: You cannot apply MS01-051 or MS01-055 unless you have upgraded to > SP2 for IE 5.01 or IE 5.5, so it clearly makes sense to get SP2 install > and not apply MS01-020) > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor "My > thoughts are facts in my world, opinion to you. YMMV" > > ======================================================================== > ==== > Delivery co-sponsored by Trend Micro, Inc. > ======================================================================== > ==== > BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% > rebate on licenses purchased for Trend Micro ScanMail for Microsoft > Exchange 2000 between October 1 and November 16. ScanMail ensures 100% > scanning of inbound and outbound traffic and provides remote software > management. For program details or to download your 30-day FREE > evaluation copy: > http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www > .a > ntivirus.com/smex2000_rebate > > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
