From: "Diana Boothe" <>
Subject: [AR-CIVIL-WAR] BadTrans-Read Immediately!-AGAIN
Date: Wed, 5 Sep 2001 11:56:26 -0500
References: <033d01c1361d$f0622580$79cd5ecc@cei.net>
OK guys........I am re-sending this, for the ones who have just
joined........so please forgive me.................
Diana
----- Original Message -----
From: "Diana Boothe" <>
To: <>
Sent: Wednesday, September 05, 2001 10:17 AM
Subject: [AR-CIVIL-WAR] BadTrans-Read Immediately!
> Hey everybody,
> I hate to start this already, and hopefully this won't be the topic of
> discussion for the next three days, but the BadTrans virus is on the loose
> again. DO NOT OPEN ANY ATTACHMENTS FROM ANYONE YOU DON'T KNOW! I would
> recommend for everyone, if they don't already, to get some type of
> anti-virus protection for your computer. There are really good ones out
> there, and some are even free, so please, protect yourselves! I am sending
> on to you Symantec's breakdown of the BadTrans virus, or, you can read it
> yourself, here...........
> http://www.symantec.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.html','w32.badtrans.13312');
> It's sneaky, it will appear as a response to an e-mail you sent, since it
> replys to unanswered mail. Remember, you will NEVER receive an attachment
> from RootsWeb............they come from the individuals computer that has
> become infected.
> PLEASE watch out for yourselves today! I have removed the infected
person
> from our list, but until they read their e-mail, we will continue to be
> subject to the virus. If anyone needs help finding anti-virus software, or
> if you have any question, please contact me OFF list.
>
> Diana
>
> W32.Badtrans.13312@mm
> Discovered on: April 11, 2001
> Last Updated on: September 4, 2001 at 03:19:58 PM PDT
>
>
> Printer-friendly version Tell a Friend
>
> Due to the decreased number of reports, the threat level for this worm has
> been downgraded from 4 to 3. It is a MAPI worm that replies to all unread
> messages in your email message folders and drops a backdoor Trojan.
>
> Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans,
> I-Worm.Badtrans, TROJ_BADTRANS.A, Pws-AV Trojan
>
> Type: Worm
>
> Infection Length: 13312
>
> Virus Definitions: April 11, 2001
>
> Threat Assessment:
>
>
> Wild:
> High Damage:
> Medium Distribution:
> High
>
>
> Wild:
>
> Number of infections: 50 - 999
> Number of sites: More than 10
> Geographical distribution: High
> Threat containment: Easy
> Removal: Easy
> Damage:
>
> Payload:
> Large scale e-mailing: It replies to all unread messages in the message
> folders within the default MAPI email program.
> Compromises security settings: It drops a backdoor Trojan.
>
> Technical description:
>
>
> When the worm is executed, it drops the backdoor Trojan Hkk32.exe into the
> \Windows folder and executes it. It then copies itself into the \Windows
> folder as inetd.exe, adds a run= line to the Win.ini file, and displays
the
> following message:
>
>
>
> The next time that the computer is restarted, the worm waits for five
> minutes and then uses MAPI to find all unread email messages and reply to
> all of them. The worm attaches itself to the message using one of the
> following file names:
> Pics.ZIP.scr
> images.pif
> README.TXT.pif
> New_Napster_Site.DOC.scr
> news_doc.scr
> hamster.ZIP.scr
> YOU_are_FAT!.TXT.pif
> searchURL.scr
> SETUP.pif
> Card.pif
> Me_nude.AVI.pif
> Sorry_about_yesterday.DOC.pif
> s3msong.MP3.pif
> docs.scr
> Humor.TXT.pif
> fun.pif