VIRUS NAME:
W32.Badtrans.B@mm

Discovered on: November 24, 2001

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.

Type: Worm

Damage:

Payload:
Large scale e-mailing: Sends email from addresses found in the default MAPI program.

Compromises security settings: Installs keystroke logging Trojan.

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS

The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP

The second extension that is appended to the file name is one of the following:
.pif
.scr

The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe.

Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.

2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.

Oups...

I wanted to post this in Shane's thread ;)
http://bbs.adultwebmasterinfo.com/ultimatebb.cgi?ubb=get_topic&f=1&t=011097

you should check the site of Symantec a few times a motnh, this stuff is already 2 months old.

I got that one this morning. Unfortunately I didn't have all the security updates installed on the computer I was using at the time. (Could have sworn I already got them from windows update, but I guess I was wrong).

Anyway, I know enough not to click on attachments, but this sucker autoinstalled because I didn't have the critical updates installed. What a pain in the ass.

Lord knows how many people I sent it out to this morning. Got it taken care of quickly, but I'm sure everyone in my email folders received a copy courtesy of me.

Needless to say:
EVERYONE VISIT WINDOWSUPDATE.MICROSOFT.COM and get the critical updates so you don't get burned by an autoinstalling virus.

Originally posted by ragnar:
<STRONG>you should check the site of Symantec a few times a motnh, this stuff is already 2 months old.</STRONG>

Yeah right, you found a virus 2 months before Symantec..

I keep getting emails from people with girls names. The email address always starts with an underscore, subject is "re:", completely blank email, with a 0 bytes text file attachment.

It can't be destructive if it's a blank text file, but all the same, it's pretty wierd!

Originally posted by copland:
<STRONG>I keep getting emails from people with girls names. The email address always starts with an underscore, subject is "re:", completely blank email, with a 0 bytes text file attachment.

It can't be destructive if it's a blank text file, but all the same, it's pretty wierd!</STRONG>

Same here, the email addy always start with an underscore!

And norton AV don't delete the email before you run them and you can be re-infected ... I got 4 times since this morning !!! To remove it go in the registery change what is wrote on synmatec site

Originally posted by Doctor Dre:
<STRONG>And norton AV don't delete the email before you run them and you can be re-infected ... I got 4 times since this morning !!! To remove it go in the registery change what is wrote on synmatec site</STRONG>

Just download the update virus file. Norton added a fix for this worm.

So far my new Norton 2002 did a great job detecting all of those incoming emails :)

damn I just got infected. It executes automatically

Old dos tactics always works.

yeah its a nag, i just updated my Norton yesterday because of this shitty thing. popping up alerts on emails and shit..

aaargh