hort.net Seasonal photo, (c) 2006 Christopher P. Lindsey, All Rights Reserved: do not copy
articles | gallery of plants | blog | tech blog | plant profiles | patents | mailing lists | top stories | links | shorturl service | tom clothier's archive0
Gallery of Plants
Tech Blog
Plant Profiles
Mailing Lists
    Search ALL lists
    Search help
    Subscription info
Top Stories
sHORTurl service
Tom Clothier's Archive
 Top Stories
New Trillium species discovered

Disease could hit Britain's trees hard

Ten of the best snowdrop cultivars

Plant protein database helps identify plant gene functions

Dendroclimatologists record history through trees

Potato beetle could be thwarted through gene manipulation

Hawaii expands coffee farm quarantine

Study explains flower petal loss

RSS story archive

New Virus /worm alert

  • Subject: [cg] New Virus /worm alert
  • From: Laura Berman <laura@foodshare.net>
  • Date: Tue, 27 Nov 2001 22:10:43 -0500

Hi Folks,
There's a new virus/worm out there which seems to be gaining  strength. I've
gotten it 4 times in the past 24 hours, the last one from Betsy Johnson (not
her fault!!).  I have a Mac so I don't think I'm being infected but you
never can tell.

What it looks like is this:
you get an email from someone you know, showing an attachment. The subject
line of some of my emails has just "Re:  " The email itself doesn't have any
thing on it other than a little dash or squiggle something in the first
position on the upper left of the page. On my Outlook Express it shows the
attachment but I can't get access to open it unless I  try to forward it.
When I do that it says something like "new MP3 files" or "New Napster" or
something else equally nebulous. Nothing shows up anywhere but the worm is
quietly burrowing in the background.

I've gone to the Norton Antivirus site and if you click on this link, you
can  too. It's long so you may have to paste it into your browser:

I've also pasted most of that page in below my signature.--the parts that I
understood, anyway

Notice I'm not telling you to forward this to everyone you know? That's a
sure sign that the alert is a hoax. This one isn't.

Good luck,

Laura Berman
FoodShare Toronto
T:(416) 392-1668
F: (416) 392-6650
E: laura@foodshare.net
W: www.foodshare.net

    Symantec Security Response

Name: W32.Badtrans.B@mm

Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 09:32:11 AM PST

Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
November 26, 2001. 
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file
names. It also creates the file \Windows\System\Kdll.dll. It uses functions
from this file to log keystrokes.

Type: Worm 

Infection Length: 29,020 bytes

Virus Definitions: November 24, 2001

Threat Assessment: 
High     Damage: 
Low     Distribution:


*    Number of infections: More than 1000
*    Number of sites: 3 - 9
*    Geographical distribution: Low
*    Threat containment: Easy
*    Removal: Easy 


*    Payload: 
*    Large scale e-mailing: Uses MAPI commands to send email.
*    Compromises security settings: Installs keystroke logging Trojan horse.


*    Name of attachment: randomly chosen from preset list
*    Size of attachment: 29,020 bytes

Technical description:

This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.

A timer is used to examine the currently open window once per second, and to
check for a window title that contains any of the following as the first
three characters:

*    LOG
*    PAS
*    REM
*    CON
*    TER
*    NET
These texts form the start of the words LOGon, PASsword, REMote, CONnection,
TERminal, NETwork. There are also Cyrillic versions of these same words in
the list. If any of these words are found, then the key logging is enabled
for 60 seconds. Every 30 seconds, the log file and the cached passwords are
sent to one of these addresses:

*    ZVDOHYIK@yahoo.com
*    udtzqccc@yahoo.com
*    DTCELACB@yahoo.com
*    I1MCH2TH@yahoo.com
*    WPADJQ12@yahoo.com
*    fjshd@rambler.ru
*    smr@eurosport.com
*    bgnd2@canada.com
*    muwripa@fairesuivre.com
*    rmxqpey@latemodels.com
*    eccles@ballsy.net
*    suck_my_prick@ijustgotfired.com
*    suck_my_prick4@ukr.net
*    thisisno_fucking_good@usa.com
*    S_Mentis@mail-x-change.com
*    YJPFJTGZ@excite.com
*    JGQZCD@excite.com
*    XHZJ3@excite.com
*    OZUNYLRL@excite.com
*    tsnlqd@excite.com
*    cxkawog@krovatka.net
*    ssdn@myrealbox.com
After 20 seconds, the worm will shut down if the appropriate control bit is

If RAS support is present on the computer, then the worm will wait for an
active RAS connection. When one is made, with a 33% chance, the worm will
search for email addresses in *.ht* and *.asp in %Personal% and Internet
Explorer %Cache%. If it finds addresses in these files, then it will send
mail to those addresses. The attachment name will be one of the following:

*    Pics
*    images
*    New_Napster_Site
*    news_doc
*    YOU_are_FAT!
*    stuff
*    SETUP
*    Card
*    Me_nude
*    Sorry_about_yesterday
*    info
*    docs
*    Humor
*    fun

In all cases, MAPI will also be used to find unread mail to which the worm
will reply. The subject will be "Re:". In that case, the attachment name
will be one of the following:

*    PICS
*    New_Napster_Site
*    SETUP
*    CARD
*    ME_NUDE
*    Sorry_about_yesterday
*    S3MSONG
*    DOCS
*    HUMOR
*    FUN

In all cases, the worm will append two extensions. The first will be one of
the following:

*    .doc
*    .mp3
*    .zip
The second extension that is appended to the file name is one of the

*    .pif
*    .scr
The resulting file name would look similar to CARD.Doc.pif or

If SMTP information can be found on the computer, then it will be used for
the From: field. Otherwise, the From: field will be one of these:

*    "Mary L. Adams" <mary@c-com.net>
*    "Monika Prado" <monika@telia.com>
*    "Support" <support@cyberramp.net>
*    " Admin" <admin@gte.net>
*    " Administrator" <administrator@border.net>
*    "JESSICA BENAVIDES" <jessica@aol.com>
*    "Joanna" <joanna@mail.utexas.edu>
*    "Mon S" <spiderroll@hotmail.com>
*    "Linda" <lgonzal@hotmail.com>
*    " Andy" <andy@hweb-media.com>
*    "Kelly Andersen" <Gravity49@aol.com>
*    "Tina" <tina0828@yahoo.com>
*    "Rita Tulliani" <powerpuff@videotron.ca>
*    "JUDY" <JUJUB271@AOL.COM>
*    " Anna" <aizzo@home.com>

Email messages use the malformed MIME exploit to allow the attachment to
execute in Microsoft Outlook without prompting. For information on this, go


Removal instructions:

To remove this worm, follow the instructions for your operating system.

Basic instructions

Windows 95/98/Me

1. Restart Windows in Safe Mode
2. Run Norton AntiVirus and delete all files that are detected as
3. Remove the value that it added to the registry.
For detailed instructions, see the sections that follow.

Windows NT/2000

1. Rename the file Kernel32.exe.
2. Remove the value added to the registry.
3. Restart the computer.
4. Run Norton AntiVirus and delete all files that are detected as
For detailed instructions, see the sections that follow.

Detailed instructions

To restart 95/98/Me in Safe mode:
For instructions, read the document How to restart Windows 9x or Windows Me
in Safe Mode.

To Rename the file Kernel32.exe under Windows NT/2000

1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
3. In the "Named" or "Search for..." box, type the following:


CAUTION: Make sure that you type the full name as shown. You must rename the
Kernel32.exe file, not the legitimate Windows file Kernel32.dll

4. Click Find Now or Search Now.
5. Right-click the file that is displayed and then click Rename.
6. Rename the file to Kernel32.old and press Enter.
7. Close the Find or Search window.
8. Restart the computer.

To run Norton AntiVirus and delete detected files:

CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have
already renamed the Kernel32.exe file (Windows NT/2000).

1. Run LiveUpdate to make sure that you have the most recent virus
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541)984-2490,
select option 2, and then request document 927002.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:


4. In the right pane, delete the following value:

Kernel32  kernel32.exe

5. Click Registry, and then click Exit.

Additional information:


*    Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
*    Home users should not open any email that has an attachment in which
the second extension is .pif or .scr. Any email that has such an attachment
should be deleted.


Write-up by: Peter Ferrie

The American Community Gardening Association listserve is only one of ACGA's services to community gardeners. To learn more about the ACGA and to find out how to join, please go to http://www.communitygarden.org

To post an e-mail to the list:  community_garden@mallorn.com

To subscribe, unsubscribe or change your subscription:  https://secure.mallorn.com/mailman/listinfo/community_garden

 © 1995-2017 Mallorn Computing, Inc.All Rights Reserved.
Our Privacy Statement
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index