|
|
|
|
|||||
|
||||||
From: Rick Morel (no email)
Date: Sat Dec 01 2001 - 20:12:55 EST
At 01:12 PM 12/1/2001 -0500, you wrote:
>
><HTML><HEAD></HEAD><BODY bgColor=#ffffff>
><iframe src=cid:EA4DMGBP9p height=0 width=0>
></iframe></BODY></HTML>Content-Type: audio/x-wav;
> name="SEARCHURL.MP3.pif"
>Content-ID: <EA4DMGBP9p>
>
>Attachment Converted: C:\Email\Rick\attach\SEARCHURL.MP3.pif
Hi Maurice,
You've got the Badtrans worm. Below is info on it and how to get rid of it.
I'm sending this to the list as well. An FYI, if the sender has a "_" before
the address, it's going to be the worm. In Maurice's case it was From:
"Maurice Sabourin" <>
I guess the %@#$@#$@#@$ that wrote it put it there so if one has something
like "" in their address list they won't get alerted by the bounce.
Rick
Badtrans is back, but don't panic
By Chris Lee [26-11-2001]
A new variant of the damaging Badtrans internet worm has
emerged over the weekend, prompting security experts to
remind IT managers to update antivirus software and warn
staff to look out for suspicious attachments.
Security specialist McAfee said that the 'B' variant of the
W32/Badtrans at MM worm, or Badtrans.b, is a mass-mailing
internet worm, like the Melissa and Lovebug viruses before
it, that attempts to send itself using Microsoft Outlook by
replying to unread emails.
Badtrans first surfaced in April. When executed, it drops a
remote access Trojan, or RAT, into the user's Windows
directory, which attempts to mail the victim's internet
protocol (IP) address to the author.
David Emm, product marketing manager for McAfee, which
has been tracking the new-variant virus for about a month,
said that the subject and body text may vary, but will come
with an attachment that is 13,312 bytes in length and will
take a number of forms including the following:
S3MSONG.DOC.scr
Pics.DOC.scr
HUMOR.MP3.scr
Sorry_about_yesterday.MP3.pif
README.MP3.scr
ME_NUDE.MP3.scr
fun.MP3.pif
NEWS_DOC.DOC.scr
docs.DOC.pif
images.DOC.pif
HAMSTER.DOC.pif
SEARCHURL.MP3.pif
Here's an update from Microsoft:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
And finally, here's how to fix it:
http://securityresponse.symantec.com/avcenter/venc/data/
moval.tool.html
You might want to print the page. Click on
http://securityresponse.symantec.com/avcenter/FixBadtr.exe
to download.
Manual Removal Instructions
WINDOWS 95/98/ME
Restart Windows in Safe Mode (reboot your computer,
just before the large WINDOWS startup screen comes up, hit the F5
key). You can recognize that you're in Safe Mode by
the text Safe Mode in the 4 corners of the desktop.
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUNONCE
Click on KERNEL32 on the right and hit DELETE on the
keyboard
Restart the computer
--------------------
S/V Final Step
Port of Iberia, LA
http://www.morelr.com/coronado/
___________________________________________________________________________
|| The Live-Aboard List : send a "subscribe" or "unsubscribe" request ||
|| in body of message to: ||
|