Since my recent mail to the group, I've received two bogus mails from
list members, containing a mail worm entrained as an audio attachment,
29kB long. One from Ed Weick, one from SKWalker. I suspect this indicates
a much wider distribution, as the mails are sent randomly. As usual,
this is a u$-only infection, and works on braindead mail programs
which automatically run attachments. As I'm running linux/VMS, I'm
immune, but the site security screen picked up the problem, I've
attached their advisory:
-PV
---------- Forwarded message ----------
Date: Tue, 27 Nov 2001 10:56:40 -0800
From: Computing Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Peter Vincent <[EMAIL PROTECTED]>
Subject: Badtrans virus
Currently there is a Windows virus "Badtrans" spreading
on the Internet. Some TRIUMF users may be vulnerable, either
at TRIUMF or at home.
VirusScan and other McAfee products with DAT files 4168
will detect this as W32/Badtrans@MM . "check compressed files"
may have to be enabled to see it in mail.
The AVP scan on trmail may detect this virus in incoming
mail as I-Worm.BadtransII, in which case you will see
a message "ALARM ! Virus found in message to you". This
message contains the original live virus and should usually
be deleted.
McAfee:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99069
TRIUMF PC support antivirus page:
http://www.triumf.ca/pcgroup/pcsupport/virussubscr.html
Unix and Linux users are immune. The virus appears as
an attached WAV audio file which may harmlessly play over the sound system
as a short hiss/squeak.
I have had several copies sent to me at home, and AVP
has detected several at TRIUMF. The subject
is "Re:" and the sender address seems to have an underscore
added e.g. "NetCom Services, Inc" <[EMAIL PROTECTED]>
On recent HTML-aware mail tools the virus may appear as an HTML
page with an inline frame containing the virus. This means
that it can infect the system without the user clicking an
attachment. Some tools may automatically advance to
"next message" or open the first unread message automatically,
causing immediate infection.
For instance:
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
Content-Type: text/html;
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
Content-Type: audio/x-wav;
name="Humor.MP3.scr" (may be different)
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
(virus here)
Other new viruses may appear which exploit this
problem - basically the way in which Windows will (still)
execute untrusted code with certain suffixes. The
browser says "it's a WAV audio file; I'll give it to the
system to handle" and the system says "it's an
.SCR (or .PIF etc.) file; I'll execute it!, and the
user doesn't want to see that confusing ".scr" suffix
so I'll just display 'Humor.MP3' making him think
it's an MPEG audio file."
Andrew Daviel
[EMAIL PROTECTED]
