jOHN
Delivered-To: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 04 Dec 2001 12:50:13 -0500
To: "John M. Bennett" <[EMAIL PROTECTED]>
From: "Deborah A. Cameron" <[EMAIL PROTECTED]>
Subject: Re: Fwd: FLUXLIST: Dealing with Badtrans.B
John,
well, McAfee's upped the alert status for this Badtrans virus to "medium/high". They're getting more reports of folks getting infected with it. The good news is that our McAfee will catch and disable it. Also good news (for us) is that this virus hits Microsoft Outlook, an email program we don't use here (and part of that reasoning is the virus load it attracts). Eudora seems "immune" to it.
see:http://vil.mcafee.com/dispVirus.asp?virus_k=99069&
for more info.
Thanks for the heads up!
Deb
At 09:05 AM 12/4/2001 -0500, you wrote:
Deb:
I've rec'd several messages from 2 listservs I'm on that seem to have contained this virus - it also appears that McAfee stopped them, but what do I know?
John
Delivered-To: [EMAIL PROTECTED]
X-Authentication-Warning: scribble.com: majordom set sender to [EMAIL PROTECTED] using -f
From: "wayfarers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: FLUXLIST: Dealing with Badtrans.B
Date: Tue, 4 Dec 2001 13:23:44 -0000
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
X-URL: http://www.fluxus.org/FLUXLIST
Seems like a few people on this list may have become lucky recipients of the
badtrans virus, which is doing the rounds at the moment. I thought my
computer had been infected with it last week. As it turned out, it hadn't
been - I'd stopped the virus code running, more by luck than by judgement.
But at least it made me do some research on finding/recognising and getting
rid of badtrans. Thought it might be useful to post up the info I've been
sent by a more computer-literate friend, especially as badtrans can run
automatically even if you don't open the attachment (a nasty trick!). The
good news is that it's relatively easy to deal with. Hope this helps.
Philip Kane
Badtrans.B is widespread at the moment. It is spread via an attachment that
runs automatically on mahcines that don't have a critical update* from
Microsoft installed (in this case you don't have to open the attachment for
the virus code to run). On infected machines the virus can e-mail itself to
addresses taken from post in your inbox. Below are disinfection instructions
and below that links to some anti-virus site descriptions of this virus.
* see below for getting all these updates or for this specific vunerability
see:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
A) Disinfection instructions in brief (more detailed version below):
==================================================
1. Delete infected mail on your machine.
2. Start up or reboot computer into Safe Mode.
3. Find and delete files with the names kdll.dll, kern32.exe, kern.exe,
inetd.exe.
4. Restart computer.
5. (Optional) Remove registry start-up entry.
6. Check your virus checker is up to date - run it and check all files.
7. Check Microsoft critical updates are installed.
8. Windows Millenium users should clean System Restore.
B) Disinfection instructions In more detail:
================================
1. This depends on the software you are using. Any e-mails with two
extensions should be deleted (e.g. look similar to CARD.Doc.pif or
NEWS_DOC.mp3.scr). Remember to empty your Deleted Items or Trash folder
afterwards.
2. To restart in Safe Mode, close your machine down, press and hold down
the F8 key immediately as you start it up again. You should see a menu
select Safe Mode from the menu.
3. To use Find (Search in Windows ME). Click on Start button. Select Find
(Search) and Files or Folders... . In the dialog type in the name of the
file you are searching for e.g. kdll.dll and make sure the search is on the
hard drive(s) of your machine (usually drive C:). Right click on any
incidents of these files and select delete. Delete all files named kdll.dll,
kernel32.exe, kern.exe, inetd.exe. Remember to empty your Recycle bin
afterwards.
4. Restart computer in normal mode
5. Optional. CAUTION: This step should only be carried out by people who
know how to back up and restore the registry. It is not an essential step
and incorrect changes made to the registry could cause serious problems - so
if you don't know how to do this then don't try. Otherwise, using Run on the
Start , run regedit. This is the Registry Editor. Find the key
"HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce". In the right pane delete the value
kernel32 kernel32.exe. Close it down when finished.
6. The virus should now be removed. Update your virus checker with the most
up todate anti-virus virus definitions and run your virus checker to check
the virus has been fully removed from your machine. If any infected files
show then remove them - if need be repeat steps above.
7. Install the various critical updates from Microsoft. The virus exploits
vulnerabilities in Internet Explorer/Windows - the updates stop this. Go
here:
http://windowsupdate.microsoft.com/
click on the PRODUCT UPDATES link. It will run a quick check on your system
and tell you which updates you need to install. Follow the instructions. It
may take a while to download updates - depends how many there are.
8. Windows Millennium has a back up and restore facility. It is necessary to
ensure that this hasn't also been infected.
In short: First Disable System Restore, restart the computer in Safe Mode,
run your virus checker and remove any viruses, restart the computer
normally, then re-enable the Restore Utility.
In detail to disable system restore : Right click My Computer on desktop,
Click Properties, Select Performance Tab, Click on File System... button,
click on Troubleshooting, put a checkmark next to "Disable System Restore",
Close the dialogs. Now restart in safe mode and run virus checker. Restart
the computer and re-enable restore by following the above procedure and
removing the checkmark next to Disable System restore.
C) Useful anti-virus links:
===================
McAfee Antivirus site
http://vil.nai.com/vil/virusSummary.asp?virus_k=99069
Norton AntiVirus:
http:[EMAIL PROTECTED]
Trend Micro Anti-virus
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS
.B
If you don't have anti-virus software you can use this on-line virus checker
(takes ages to run but it does work):
http://housecall.antivirus.com/
