New Virus /worm alert
- Subject: [cg] New Virus /worm alert
- From: Laura Berman <email@example.com>
- Date: Tue, 27 Nov 2001 22:10:43 -0500
There's a new virus/worm out there which seems to be gaining strength. I've
gotten it 4 times in the past 24 hours, the last one from Betsy Johnson (not
her fault!!). I have a Mac so I don't think I'm being infected but you
never can tell.
What it looks like is this:
you get an email from someone you know, showing an attachment. The subject
line of some of my emails has just "Re: " The email itself doesn't have any
thing on it other than a little dash or squiggle something in the first
position on the upper left of the page. On my Outlook Express it shows the
attachment but I can't get access to open it unless I try to forward it.
When I do that it says something like "new MP3 files" or "New Napster" or
something else equally nebulous. Nothing shows up anywhere but the worm is
quietly burrowing in the background.
I've gone to the Norton Antivirus site and if you click on this link, you
can too. It's long so you may have to paste it into your browser:
I've also pasted most of that page in below my signature.--the parts that I
Notice I'm not telling you to forward this to everyone you know? That's a
sure sign that the alert is a hoax. This one isn't.
F: (416) 392-6650
Symantec Security Response
Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 09:32:11 AM PST
Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
November 26, 2001.
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file
names. It also creates the file \Windows\System\Kdll.dll. It uses functions
from this file to log keystrokes.
Infection Length: 29,020 bytes
Virus Definitions: November 24, 2001
* Number of infections: More than 1000
* Number of sites: 3 - 9
* Geographical distribution: Low
* Threat containment: Easy
* Removal: Easy
* Large scale e-mailing: Uses MAPI commands to send email.
* Compromises security settings: Installs keystroke logging Trojan horse.
* Name of attachment: randomly chosen from preset list
* Size of attachment: 29,020 bytes
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.
A timer is used to examine the currently open window once per second, and to
check for a window title that contains any of the following as the first
These texts form the start of the words LOGon, PASsword, REMote, CONnection,
TERminal, NETwork. There are also Cyrillic versions of these same words in
the list. If any of these words are found, then the key logging is enabled
for 60 seconds. Every 30 seconds, the log file and the cached passwords are
sent to one of these addresses:
After 20 seconds, the worm will shut down if the appropriate control bit is
If RAS support is present on the computer, then the worm will wait for an
active RAS connection. When one is made, with a 33% chance, the worm will
search for email addresses in *.ht* and *.asp in %Personal% and Internet
Explorer %Cache%. If it finds addresses in these files, then it will send
mail to those addresses. The attachment name will be one of the following:
In all cases, MAPI will also be used to find unread mail to which the worm
will reply. The subject will be "Re:". In that case, the attachment name
will be one of the following:
In all cases, the worm will append two extensions. The first will be one of
The second extension that is appended to the file name is one of the
The resulting file name would look similar to CARD.Doc.pif or
If SMTP information can be found on the computer, then it will be used for
the From: field. Otherwise, the From: field will be one of these:
* "Mary L. Adams" <firstname.lastname@example.org>
* "Monika Prado" <email@example.com>
* "Support" <firstname.lastname@example.org>
* " Admin" <email@example.com>
* " Administrator" <firstname.lastname@example.org>
* "JESSICA BENAVIDES" <email@example.com>
* "Joanna" <firstname.lastname@example.org>
* "Mon S" <email@example.com>
* "Linda" <firstname.lastname@example.org>
* " Andy" <email@example.com>
* "Kelly Andersen" <Gravity49@aol.com>
* "Tina" <firstname.lastname@example.org>
* "Rita Tulliani" <email@example.com>
* "JUDY" <JUJUB271@AOL.COM>
* " Anna" <firstname.lastname@example.org>
Email messages use the malformed MIME exploit to allow the attachment to
execute in Microsoft Outlook without prompting. For information on this, go
To remove this worm, follow the instructions for your operating system.
1. Restart Windows in Safe Mode
2. Run Norton AntiVirus and delete all files that are detected as
3. Remove the value that it added to the registry.
For detailed instructions, see the sections that follow.
1. Rename the file Kernel32.exe.
2. Remove the value added to the registry.
3. Restart the computer.
4. Run Norton AntiVirus and delete all files that are detected as
For detailed instructions, see the sections that follow.
To restart 95/98/Me in Safe mode:
For instructions, read the document How to restart Windows 9x or Windows Me
in Safe Mode.
To Rename the file Kernel32.exe under Windows NT/2000
1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
3. In the "Named" or "Search for..." box, type the following:
CAUTION: Make sure that you type the full name as shown. You must rename the
Kernel32.exe file, not the legitimate Windows file Kernel32.dll
4. Click Find Now or Search Now.
5. Right-click the file that is displayed and then click Rename.
6. Rename the file to Kernel32.old and press Enter.
7. Close the Find or Search window.
8. Restart the computer.
To run Norton AntiVirus and delete detected files:
CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have
already renamed the Kernel32.exe file (Windows NT/2000).
1. Run LiveUpdate to make sure that you have the most recent virus
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541)Ý984-2490,
select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
4. In the right pane, delete the following value:
5. Click Registry, and then click Exit.
* Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
* Home users should not open any email that has an attachment in which
the second extension is .pif or .scr. Any email that has such an attachment
should be deleted.
Write-up by: Peter Ferrie
The American Community Gardening Association listserve is only one of ACGA's services to community gardeners. To learn more about the ACGA and to find out how to join, please go to http://www.communitygarden.org
To post an e-mail to the list: email@example.com
To subscribe, unsubscribe or change your subscription: https://secure.mallorn.com/mailman/listinfo/community_garden