I was sent 3 yesterday and so far today I've received 6. Last few today was that typical:
Hi, how are you?
I send you this file in order to have your advice
The others had a script attachement called "humor.mp3.scr"
Fortunately my virus scanner identified and stopped them all. If you have a virus scanner then I suggest to update it asap. these are all only sent via outlook or outlook express. Why ms can't stop this crap is beyond me.
More info on this new virus here and REMOVAL instructions:
http://securityresponse.symantec.com/av ... .b@mm.html
Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted.
highlights:
Due to the increased rate of submissions, Symantec Security Response has upgraded the threat level of this worm from level 3 to level 4 as of November 26, 2001.
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.
This worm arrives as an email with one of several attachment names and a combination of two appended extensions. It contains a set of bits that control its behavior:
001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)
When it is first executed, it copies itself to %System% or %Windows% as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file \%System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key logging code.
NOTE: %Windows% and %System% are variables. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
The attachment name will be one of the following:
Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun
In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be "Re: ". In that case, the attachment name will be one of the following:
PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN
In all cases, the worm will append two extensions. The first will be one of the following:
.doc
.mp3
.zip
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr.
Virus Alert!
-
FlyingPenguin
- Flightless Bird
- Posts: 33161
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
This is a variant of the Sircam virus.
It is specifically designed to prey on newbies who still have their file settings set to "hide known file extensions"
If you have known extensions hidden then the attachment appears to be a non-threatening JPG, GIF, MP3 etc because you can't see the .BAT, .EXE, .SCR or whatever the real extension is on the end of it that would tell you it's a program (and anyone who frequents this forum should know better than to run an unsolicited EXE or other program attachment without first virus scanning it).
It is specifically designed to prey on newbies who still have their file settings set to "hide known file extensions"
If you have known extensions hidden then the attachment appears to be a non-threatening JPG, GIF, MP3 etc because you can't see the .BAT, .EXE, .SCR or whatever the real extension is on the end of it that would tell you it's a program (and anyone who frequents this forum should know better than to run an unsolicited EXE or other program attachment without first virus scanning it).
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
-
WeekendWarrior
- Golden Member
- Posts: 706
- Joined: Wed Nov 29, 2000 4:31 am
- Location: Canada
- Contact:
Yea I usually dont open attachments unless I know the person and I scan them anyway.
What I am worried about is my kids are starting to get email and using ms messenger.
Yesterday on a mailing list I am on some new name showed up and first thing they sent was 1 exe file and 1 doc file...I was suspicious and warned everyone right away and sure enough they were virus'.
The guy who runs the list thinks someone is sending them to get him for something...sad really
WW
What I am worried about is my kids are starting to get email and using ms messenger.
Yesterday on a mailing list I am on some new name showed up and first thing they sent was 1 exe file and 1 doc file...I was suspicious and warned everyone right away and sure enough they were virus'.
The guy who runs the list thinks someone is sending them to get him for something...sad really
WW
<IMG SRC="http://members.rogers.com/dwal/ww99b.jpg">
WW
WW
-
JaNus
- Goober Member
- Posts: 11
- Joined: Tue Nov 27, 2001 8:00 am
- Location: in every bite of Chips'O Hoy!
- Contact:
I recieved an e-mail today that I KNEW was a virus.
Here is what was within:
NEWS_DOCS.doc
AT0000.scr
--------------------------------
I didnt open the files after I saw their names I deleted it, though oddly timed my system rebooted after closing OutlookExpress....then WinXP was sluggish for the first minute after bootup(CPU usage was MAXED)
None of the TXT files on my computer seem affected though.....
I dotn have a Virus scanner as my Mcafee says it wont support my OS, if anyone knows a way to get it to work I would appretiate it......And yes I tried all the compatiblity modes(POS)
Here is what was within:
NEWS_DOCS.doc
AT0000.scr
--------------------------------
I didnt open the files after I saw their names I deleted it, though oddly timed my system rebooted after closing OutlookExpress....then WinXP was sluggish for the first minute after bootup(CPU usage was MAXED)
None of the TXT files on my computer seem affected though.....
I dotn have a Virus scanner as my Mcafee says it wont support my OS, if anyone knows a way to get it to work I would appretiate it......And yes I tried all the compatiblity modes(POS)
<a><href="http://www.csbadboyz.net"><img src="http://www.csbadboyz.net/banner1.jpg" width="480" alt="CS BadBoyz" height="60" border="0"></a>
God of gates, god of doorways, I may open the door, but only you can walk through it.
Why doesn't DOS ever say: EXCELLENT command or filename!
"The motherboard — that thin green square of plastic that holds the chips, connectors and slots inside your personal computer." -MSNBC
"CPU — that big, flat black square with hundreds of little copper pins that actually does all the calculations that makes a PC run. (Handle with care. If you bend any of those little pins, you’re in trouble.)" -MSNBC
Abit-KT7 Duron600@1000 1.85vcore GeForce2mx-200 32mb SDR AGP 512mb PC133 CAS2 4-way interleave
-JaNus
God of gates, god of doorways, I may open the door, but only you can walk through it.
Why doesn't DOS ever say: EXCELLENT command or filename!
"The motherboard — that thin green square of plastic that holds the chips, connectors and slots inside your personal computer." -MSNBC
"CPU — that big, flat black square with hundreds of little copper pins that actually does all the calculations that makes a PC run. (Handle with care. If you bend any of those little pins, you’re in trouble.)" -MSNBC
Abit-KT7 Duron600@1000 1.85vcore GeForce2mx-200 32mb SDR AGP 512mb PC133 CAS2 4-way interleave
-JaNus
That IS a virus JaNus. Ending in .scr is one of the new ones. Please see the above link for removal instructions and go here for a free and good anti virus
http://www.grisoft.com/html/us_index.html
If they've temp stopped the free one(they do at times) then just get the free 30 day trial till the free one is available again. It works fine in xp also.
http://www.grisoft.com/html/us_index.html
If they've temp stopped the free one(they do at times) then just get the free 30 day trial till the free one is available again. It works fine in xp also.
My wife tried opening one yesterday. She didn't realize it was a virus until she already tried opening it! 
I get home and shes like "Hon, I think I did a bad thing" lol I have her set up on a XP machine with a basic user account, it seems like nothing took hold. NAV2k didn't find anything either. Funny thing is, I haven't had an anti-virus scanner installed in years (and never been infected). When I put XP on this machine, I had a feeling I should pop NAV on there just in case
I get home and shes like "Hon, I think I did a bad thing" lol I have her set up on a XP machine with a basic user account, it seems like nothing took hold. NAV2k didn't find anything either. Funny thing is, I haven't had an anti-virus scanner installed in years (and never been infected). When I put XP on this machine, I had a feeling I should pop NAV on there just in case -
JaNus
- Goober Member
- Posts: 11
- Joined: Tue Nov 27, 2001 8:00 am
- Location: in every bite of Chips'O Hoy!
- Contact:
I run ZoneAlarmPro on my PC, its a firewall and I was looking through it and it has an e-mail quarintine that quarintines .scr and many other file types that viruses can commonly carry through, soI think I am safe as I havent had any problems yet just some odd coinscidences.
<a><href="http://www.csbadboyz.net"><img src="http://www.csbadboyz.net/banner1.jpg" width="480" alt="CS BadBoyz" height="60" border="0"></a>
God of gates, god of doorways, I may open the door, but only you can walk through it.
Why doesn't DOS ever say: EXCELLENT command or filename!
"The motherboard — that thin green square of plastic that holds the chips, connectors and slots inside your personal computer." -MSNBC
"CPU — that big, flat black square with hundreds of little copper pins that actually does all the calculations that makes a PC run. (Handle with care. If you bend any of those little pins, you’re in trouble.)" -MSNBC
Abit-KT7 Duron600@1000 1.85vcore GeForce2mx-200 32mb SDR AGP 512mb PC133 CAS2 4-way interleave
-JaNus
God of gates, god of doorways, I may open the door, but only you can walk through it.
Why doesn't DOS ever say: EXCELLENT command or filename!
"The motherboard — that thin green square of plastic that holds the chips, connectors and slots inside your personal computer." -MSNBC
"CPU — that big, flat black square with hundreds of little copper pins that actually does all the calculations that makes a PC run. (Handle with care. If you bend any of those little pins, you’re in trouble.)" -MSNBC
Abit-KT7 Duron600@1000 1.85vcore GeForce2mx-200 32mb SDR AGP 512mb PC133 CAS2 4-way interleave
-JaNus
There`s another one who is a .exe and telling in the message body that you just received the new demo of Quake 4.I think it`s a trojan horse
http://securityresponse.symantec.com/av ... .a@mm.html
http://securityresponse.symantec.com/av ... .a@mm.html
<IMG SRC="http://www.iquebec.com/diabolix/sig.gif">
