w32/badtrans/mm
Thread Starter
Joined: Sep 2001
Posts: 12
Likes: 0
From: slumped in front of PC
w32/badtrans/mm
Been hit and my McAfee Virus scan didnt pick it up (yes it's updated). I am now emailing the world. 
Any freeware downloads you are aware of out there that will do it.
I went to a university site once for a previous problem but cant remeber where it was.
Any help appreciated
Ta!
Any freeware downloads you are aware of out there that will do it.
I went to a university site once for a previous problem but cant remeber where it was.
Any help appreciated
Ta!
Joined: Mar 2001
Posts: 190
Likes: 1
From the McAfee site
"VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files."
and
"AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently and often do not have VirusScan configured to scan compressed files which is required for detection."
Two points may be relevant.
Dat 4168 or later is required.
(Current Dat is 4172 Dated 21 Nov 01)
VirusScan must be configured to include compressed files in the scan.
Regards
Snooze
"VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files."
and
"AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently and often do not have VirusScan configured to scan compressed files which is required for detection."
Two points may be relevant.
Dat 4168 or later is required.
(Current Dat is 4172 Dated 21 Nov 01)
VirusScan must be configured to include compressed files in the scan.
Regards
Snooze
Guest
Posts: n/a
— W32/Badtrans@mm —
McAfee.com has received an increasing number of reports from home users with a new variant of Badtrans, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to HIGH RISK FOR CONSUMERS.
VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant.
W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via the Microsoft Outlook email program and attempts to send itself by replying to unread email messages.
The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in size. The attachment name is created in three sections, for example, card.doc.pif.
McAfee.com has received an increasing number of reports from home users with a new variant of Badtrans, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to HIGH RISK FOR CONSUMERS.
VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant.
W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via the Microsoft Outlook email program and attempts to send itself by replying to unread email messages.
The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in size. The attachment name is created in three sections, for example, card.doc.pif.
Flies for fun
Joined: Feb 2000
Posts: 789
Likes: 0
From: Wishing it was somewhere sunny!
I had a bad case of it last week in spite of running VirusScan 5.2 - now updated to 6.01 but, since then, some funny things happening!!!!
1. outlook express takes over 1 minute to load.
2. when I access say pprune e-mail, when I type in my user name, it takes about 30 secs before the cursor stats flashing on the password box and then ages again before my modem starts to access the email site.
3. In spite of a question every time do you want windows to remember etc... it never does.
4. The same on travelocity, takes ages to skip to the next box to be filled in but travelocity does remember who I am - probably works differently from pprune e-mail.
Any clues folks?
[ 27 November 2001: Message edited by: Sensible ]
1. outlook express takes over 1 minute to load.
2. when I access say pprune e-mail, when I type in my user name, it takes about 30 secs before the cursor stats flashing on the password box and then ages again before my modem starts to access the email site.
3. In spite of a question every time do you want windows to remember etc... it never does.
4. The same on travelocity, takes ages to skip to the next box to be filled in but travelocity does remember who I am - probably works differently from pprune e-mail.
Any clues folks?
[ 27 November 2001: Message edited by: Sensible ]
Joined: Feb 2000
Posts: 776
Likes: 0
From: [edited by PPRuNe Admin]
from news.bbc.co.uk
BIG round of applause to BT Openworld
BIG round of applause to BT Openworld
A sneaky Windows computer virus is circulating that tries to install software that monitors what users are typing and passes it to the malicious program's creator.
Like many of the other computer viruses that have struck in recent months, BadTrans-B attempts to spread by exploiting weaknesses in Microsoft e-mail programs.
One anti-virus company has caught over 20,000 copies of the virus in the last 24 hours.
The UK, Germany and US are the countries most seriously infected by the virus.
Old holes
The BadTrans-B virus is spreading swiftly because, unlike many other e-mail viruses, the pernicious payload that helps it raid Microsoft Outlook address books does not have to be clicked on to set it off.
Simply previewing the item could cause infection. The loophole the virus exploits was first discovered in early 2001.
Badtrans-B file names
humour
docs
s3msong
me_nude
card
searchurl
you_are_fat!
news_doc
images
pics
"It's baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch," said Graham Cluley of anti-virus firm Sophos.
When the virus mails itself to the contacts in the address books it raids, the virus uses a subject line from an existing message to make it appear to be a legitimate reply.
The virus also regularly swaps the name of the attachment travelling with it, in an attempt to conceal its pernicious payload.
BadTrans-B is a variant of the original BadTrans virus that was first discovered in April.
BT Openworld error
As well as raiding Outlook and Outlook Express address books, the virus also tries to implant a hidden program that tries to send an identifying net address to the author of the virus.
The hidden program also monitors what users are typing and the information it tracks could be used by a malicious hacker to steal credit card information or passwords for websites.
Britain seems to have been hit hard by the BadTrans-B Windows virus. Anti-virus firm Message Labs, which logs the numbers of pernicious programs it traps, has caught over 21,000 copies of BadTrans-B in the last 24 hours. Over 50% of these originated in Britain.
The spread of the virus was inadvertently helped by BT Openworld, which accidentally e-mailed a copy of the virus to its customers.
Like many of the other computer viruses that have struck in recent months, BadTrans-B attempts to spread by exploiting weaknesses in Microsoft e-mail programs.
One anti-virus company has caught over 20,000 copies of the virus in the last 24 hours.
The UK, Germany and US are the countries most seriously infected by the virus.
Old holes
The BadTrans-B virus is spreading swiftly because, unlike many other e-mail viruses, the pernicious payload that helps it raid Microsoft Outlook address books does not have to be clicked on to set it off.
Simply previewing the item could cause infection. The loophole the virus exploits was first discovered in early 2001.
Badtrans-B file names
humour
docs
s3msong
me_nude
card
searchurl
you_are_fat!
news_doc
images
pics
"It's baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch," said Graham Cluley of anti-virus firm Sophos.
When the virus mails itself to the contacts in the address books it raids, the virus uses a subject line from an existing message to make it appear to be a legitimate reply.
The virus also regularly swaps the name of the attachment travelling with it, in an attempt to conceal its pernicious payload.
BadTrans-B is a variant of the original BadTrans virus that was first discovered in April.
BT Openworld error
As well as raiding Outlook and Outlook Express address books, the virus also tries to implant a hidden program that tries to send an identifying net address to the author of the virus.
The hidden program also monitors what users are typing and the information it tracks could be used by a malicious hacker to steal credit card information or passwords for websites.
Britain seems to have been hit hard by the BadTrans-B Windows virus. Anti-virus firm Message Labs, which logs the numbers of pernicious programs it traps, has caught over 21,000 copies of BadTrans-B in the last 24 hours. Over 50% of these originated in Britain.
The spread of the virus was inadvertently helped by BT Openworld, which accidentally e-mailed a copy of the virus to its customers.
Joined: Jun 2000
Posts: 1,003
Likes: 0
From: Geriatrica, UK
Good thread, this, and my thanks to those who flagged up the problem.
Updated my McAfee Viruscan yesterday (27th Nov) with the 21st Nov DAT file and checked the setting to scan all e-mails and downloads. Got my copy of the virus this AM from "Milan Galant" with no subject message - just the "Re:". Virus scan spotted it before opening and stopped me in my tracks. Told me the name of the virus and what to do.
Now, it is just possible that there is a connection between the update and the attack, isn't it...? No, I'm just being cynical. But what better way to convince the customer that he has bought a good product?
McAfee's Web Site must be one of the worst in the World for pushy marketing but as far as I know, the Product is OK.
Updated my McAfee Viruscan yesterday (27th Nov) with the 21st Nov DAT file and checked the setting to scan all e-mails and downloads. Got my copy of the virus this AM from "Milan Galant" with no subject message - just the "Re:". Virus scan spotted it before opening and stopped me in my tracks. Told me the name of the virus and what to do.
Now, it is just possible that there is a connection between the update and the attack, isn't it...? No, I'm just being cynical. But what better way to convince the customer that he has bought a good product?
McAfee's Web Site must be one of the worst in the World for pushy marketing but as far as I know, the Product is OK.
Joined: Nov 2000
Posts: 71
Likes: 0
From: Localiser backcourse 31
I have had 6 emailed copies of the virus sent to my PPrune adress in the last 3 days. They have the topic "Re:.." and are each 41k in size. I view my mail online and have made it a policy of never downloading anything from an address I don't know. I don't know whether my Norton would have worked!
Rgds
CB
Rgds
CB
Moderator
Joined: Apr 1998
Posts: 1,335
Likes: 0
From: err, *******, we have a problem
27 in the last 2 days and counting!
What amazes me is I know absolutely none of the senders... do people regularly add PPRuNe moderators and Admins to their address books? If so, why, when you can click on a link?
Never mind... all packages 41K, all "Re: ," all with a .doc.pif or.scr and all deleted whilst still on the webserver. Not that they'd do my G4 any harm..........
£6
What amazes me is I know absolutely none of the senders... do people regularly add PPRuNe moderators and Admins to their address books? If so, why, when you can click on a link?
Never mind... all packages 41K, all "Re: ," all with a .doc.pif or.scr and all deleted whilst still on the webserver. Not that they'd do my G4 any harm..........
£6
Guest
Posts: n/a
Had one this morning from Florida Car Hire Company. I have actually been dealing with them about my visit in April. But...I did actually take care to right click to get "message scource" and right at the bottom was the giveaway. I caught sight of the word Napster.MP3.pif and remembered it was amongst the list I had been memorising from McAfee. Then I burned it.
Then I told the company that "sent" it that they are infected.
Haven't heard from them yet.
Then I told the company that "sent" it that they are infected.
Haven't heard from them yet.
Joined: Apr 2001
Posts: 871
Likes: 0
From: Chichester, UK
Joined: Oct 2001
Posts: 71
Likes: 0
From: Aldebaran
Hi, here are 2 links that might help you get rid of the worm
+++ free tool that will wipe the badrans.b-worm++
This tool doesn't need any installation and can be started directly after downloading
Note: might want to archive this tool (for future use if needed)
BitDefender = http://www.witch.de/web.php/u/1001807
Another free and pretty good virus-scan for protection can be found here:
AntiVir = http://www.witch.de/web.php/u/1001812
another one can be found at www.sophos.de
and also www.bitdefender.com
just download the latest "anti-virus" for the badtrans... and activate it.
Sorry for putting german webpages on there but at least they have worked for quite a few people i know!
Cheers
+++ free tool that will wipe the badrans.b-worm++
This tool doesn't need any installation and can be started directly after downloading
Note: might want to archive this tool (for future use if needed)
BitDefender = http://www.witch.de/web.php/u/1001807
Another free and pretty good virus-scan for protection can be found here:
AntiVir = http://www.witch.de/web.php/u/1001812
another one can be found at www.sophos.de
and also www.bitdefender.com
just download the latest "anti-virus" for the badtrans... and activate it.
Sorry for putting german webpages on there but at least they have worked for quite a few people i know!
Cheers
Joined: Jun 2000
Posts: 1,003
Likes: 0
From: Geriatrica, UK
I've just dis-infected a Win98SE PC running Norton Anti-Virus that hadn't been updated for two years! It was badly infected and had e-mailed dozens of victims, some of who were telephoning to complain. There were 40 automatic returns from Servers of e-mails this PC had sent out.
Norton was too unfriendly so I put McAfee in its place and it worked like a dream; ran a scan on all files and it found the culprit in Kernel32.dll. Couldn't clean it so it (McAfee) deleted it (as it claimed). Found the file still there when I tried to load a fresh version into the \System folder.
I can't normally delete a system file in use by the system so can McAfee have done so? Didn't have time to rescan the disk but that would show if the file was still infected.
The mail Servers appear to have caught up now and the flood of these e-mails is drying up.
Norton was too unfriendly so I put McAfee in its place and it worked like a dream; ran a scan on all files and it found the culprit in Kernel32.dll. Couldn't clean it so it (McAfee) deleted it (as it claimed). Found the file still there when I tried to load a fresh version into the \System folder.
I can't normally delete a system file in use by the system so can McAfee have done so? Didn't have time to rescan the disk but that would show if the file was still infected.
The mail Servers appear to have caught up now and the flood of these e-mails is drying up.
Moderator
Joined: May 1998
Posts: 253
Likes: 0
From: .
I've got myself (and the whole of British World Airlines) on an auto-upgrading version of the Sophos anti-virus product.
Now w.r.t. Badtrans you might also like to have a look at what Sophos have to say about it: http://www.sophos.com/virusinfo/anal...badtransb.html
and in particular, the fix for it (plus associated links) : http://www.sophos.com/support/faqs/w32badtransb.html
So let's all pull together and help to crack this nut.
"Shields UP !"
Now w.r.t. Badtrans you might also like to have a look at what Sophos have to say about it: http://www.sophos.com/virusinfo/anal...badtransb.html
and in particular, the fix for it (plus associated links) : http://www.sophos.com/support/faqs/w32badtransb.html
So let's all pull together and help to crack this nut.
"Shields UP !"
Joined: Oct 1998
Posts: 468
Likes: 0
From: UK
A free tool is also here available, this is from an AntiVirus prog I am running since some time, does self-upgrades (sometimes twice a week!!!) and installs as a virus checker on all major chat systems (MSN, ICQ, YAHOO.....) as well as ir sets up a system internal proxy on the PC which feeds all mail through it before it reaches the mail client...
A total of 134 mails received in the last 4 days have been "isolated" and subsequently deleted by me as infected. Needless to say that there was mail from trustworthy senders...
Here is the link
http://www.bitdefender.com/html/free_tools.php
A total of 134 mails received in the last 4 days have been "isolated" and subsequently deleted by me as infected. Needless to say that there was mail from trustworthy senders...
Here is the link
http://www.bitdefender.com/html/free_tools.php
Joined: Jun 2000
Posts: 1,003
Likes: 0
From: Geriatrica, UK
Re TR4A's post in the Smiley Tracey thread, watch for file KDLL.DLL in C
Windows\System. It could be logging any passwords you type in. The file is not a Windows file but appears when the first BadTrans virus is downloaded.
Re my post above, yes McAfee did manage to delete the infected Kernel32.dll and it was immediately recreated by Windows so all is well.
Windows\System. It could be logging any passwords you type in. The file is not a Windows file but appears when the first BadTrans virus is downloaded.Re my post above, yes McAfee did manage to delete the infected Kernel32.dll and it was immediately recreated by Windows so all is well.