|
w32/badtrans/mm
Been hit and my McAfee Virus scan didnt pick it up (yes it's updated). I am now emailing the world. :(
Any freeware downloads you are aware of out there that will do it. I went to a university site once for a previous problem but cant remeber where it was. Any help appreciated Ta! |
You don't want to hear this but Symantec Norton AntiVirus does pick this up. Yet again McAfee are behind the game.
|
Thanks for your rapid response. Even as I type I am downloading Norton Symantec.
Regds LL |
From the McAfee site
"VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files." and "AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently and often do not have VirusScan configured to scan compressed files which is required for detection." Two points may be relevant. Dat 4168 or later is required. (Current Dat is 4172 Dated 21 Nov 01) VirusScan must be configured to include compressed files in the scan. Regards Snooze |
So far today PPRuNe HQ has been sent 54 copies of this wretched virus (plus one "snowwhite")
Keep those virus checkers up to date, people! ---Mik |
Make that 55 copies. :mad:
|
— W32/Badtrans@mm —
McAfee.com has received an increasing number of reports from home users with a new variant of Badtrans, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to HIGH RISK FOR CONSUMERS. VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant. W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via the Microsoft Outlook email program and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in size. The attachment name is created in three sections, for example, card.doc.pif. |
High Risk? That's putting it mildly...
PPRuNe HQ has been sent over 100 of the blasted things in the last 10 hours :mad: |
I had a bad case of it last week in spite of running VirusScan 5.2 - now updated to 6.01 but, since then, some funny things happening!!!!
1. outlook express takes over 1 minute to load. 2. when I access say pprune e-mail, when I type in my user name, it takes about 30 secs before the cursor stats flashing on the password box and then ages again before my modem starts to access the email site. 3. In spite of a question every time do you want windows to remember etc... it never does. 4. The same on travelocity, takes ages to skip to the next box to be filled in but travelocity does remember who I am - probably works differently from pprune e-mail. Any clues folks? [ 27 November 2001: Message edited by: Sensible ] |
from news.bbc.co.uk
BIG round of applause to BT Openworld A sneaky Windows computer virus is circulating that tries to install software that monitors what users are typing and passes it to the malicious program's creator. Like many of the other computer viruses that have struck in recent months, BadTrans-B attempts to spread by exploiting weaknesses in Microsoft e-mail programs. One anti-virus company has caught over 20,000 copies of the virus in the last 24 hours. The UK, Germany and US are the countries most seriously infected by the virus. Old holes The BadTrans-B virus is spreading swiftly because, unlike many other e-mail viruses, the pernicious payload that helps it raid Microsoft Outlook address books does not have to be clicked on to set it off. Simply previewing the item could cause infection. The loophole the virus exploits was first discovered in early 2001. Badtrans-B file names humour docs s3msong me_nude card searchurl you_are_fat! news_doc images pics "It's baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch," said Graham Cluley of anti-virus firm Sophos. When the virus mails itself to the contacts in the address books it raids, the virus uses a subject line from an existing message to make it appear to be a legitimate reply. The virus also regularly swaps the name of the attachment travelling with it, in an attempt to conceal its pernicious payload. BadTrans-B is a variant of the original BadTrans virus that was first discovered in April. BT Openworld error As well as raiding Outlook and Outlook Express address books, the virus also tries to implant a hidden program that tries to send an identifying net address to the author of the virus. The hidden program also monitors what users are typing and the information it tracks could be used by a malicious hacker to steal credit card information or passwords for websites. Britain seems to have been hit hard by the BadTrans-B Windows virus. Anti-virus firm Message Labs, which logs the numbers of pernicious programs it traps, has caught over 21,000 copies of BadTrans-B in the last 24 hours. Over 50% of these originated in Britain. The spread of the virus was inadvertently helped by BT Openworld, which accidentally e-mailed a copy of the virus to its customers. |
Good thread, this, and my thanks to those who flagged up the problem.
Updated my McAfee Viruscan yesterday (27th Nov) with the 21st Nov DAT file and checked the setting to scan all e-mails and downloads. Got my copy of the virus this AM from "Milan Galant" with no subject message - just the "Re:". Virus scan spotted it before opening and stopped me in my tracks. Told me the name of the virus and what to do. Now, it is just possible that there is a connection between the update and the attack, isn't it...? No, I'm just being cynical. But what better way to convince the customer that he has bought a good product? McAfee's Web Site must be one of the worst in the World for pushy marketing but as far as I know, the Product is OK. |
I have had 6 emailed copies of the virus sent to my PPrune adress in the last 3 days. They have the topic "Re:.." and are each 41k in size. I view my mail online and have made it a policy of never downloading anything from an address I don't know. I don't know whether my Norton would have worked!
Rgds CB |
27 in the last 2 days and counting!
What amazes me is I know absolutely none of the senders... do people regularly add PPRuNe moderators and Admins to their address books? If so, why, when you can click on a link? Never mind... all packages 41K, all "Re: ," all with a .doc.pif or.scr and all deleted whilst still on the webserver. Not that they'd do my G4 any harm.......... £6 |
Had one this morning from Florida Car Hire Company. I have actually been dealing with them about my visit in April. But...I did actually take care to right click to get "message scource" and right at the bottom was the giveaway. I caught sight of the word Napster.MP3.pif and remembered it was amongst the list I had been memorising from McAfee. Then I burned it.
Then I told the company that "sent" it that they are infected. Haven't heard from them yet. :eek: |
For more information, take a look at
http://www.symantec.com/avcenter/[email protected] |
Hi, here are 2 links that might help you get rid of the worm
+++ free tool that will wipe the badrans.b-worm++ This tool doesn't need any installation and can be started directly after downloading Note: might want to archive this tool (for future use if needed) BitDefender = http://www.witch.de/web.php/u/1001807 Another free and pretty good virus-scan for protection can be found here: AntiVir = http://www.witch.de/web.php/u/1001812 another one can be found at www.sophos.de and also www.bitdefender.com just download the latest "anti-virus" for the badtrans... and activate it. Sorry for putting german webpages on there but at least they have worked for quite a few people i know! Cheers :eek: :eek: |
I've just dis-infected a Win98SE PC running Norton Anti-Virus that hadn't been updated for two years! It was badly infected and had e-mailed dozens of victims, some of who were telephoning to complain. There were 40 automatic returns from Servers of e-mails this PC had sent out.
Norton was too unfriendly so I put McAfee in its place and it worked like a dream; ran a scan on all files and it found the culprit in Kernel32.dll. Couldn't clean it so it (McAfee) deleted it (as it claimed). Found the file still there when I tried to load a fresh version into the \System folder. I can't normally delete a system file in use by the system so can McAfee have done so? Didn't have time to rescan the disk but that would show if the file was still infected. The mail Servers appear to have caught up now and the flood of these e-mails is drying up. |
I've got myself (and the whole of British World Airlines) on an auto-upgrading version of the Sophos anti-virus product.
Now w.r.t. Badtrans you might also like to have a look at what Sophos have to say about it: http://www.sophos.com/virusinfo/anal...badtransb.html and in particular, the fix for it (plus associated links) : http://www.sophos.com/support/faqs/w32badtransb.html So let's all pull together and help to crack this nut. "Shields UP !" |
A free tool is also here available, this is from an AntiVirus prog I am running since some time, does self-upgrades (sometimes twice a week!!!) and installs as a virus checker on all major chat systems (MSN, ICQ, YAHOO.....) as well as ir sets up a system internal proxy on the PC which feeds all mail through it before it reaches the mail client...
A total of 134 mails received in the last 4 days have been "isolated" and subsequently deleted by me as infected. Needless to say that there was mail from trustworthy senders... Here is the link http://www.bitdefender.com/html/free_tools.php :D |
Re TR4A's post in the Smiley Tracey thread, watch for file KDLL.DLL in C:\Windows\System. It could be logging any passwords you type in. The file is not a Windows file but appears when the first BadTrans virus is downloaded.
Re my post above, yes McAfee did manage to delete the infected Kernel32.dll and it was immediately recreated by Windows so all is well. |
I was infected with this one yesterday.I downloaded the fix/removal tool from symantic.The virus scanner identified 3 files as being infected. The removal tool removed 2 of them,(The removal was only succesful in safe mode). I have since run the removal tool in both safe and normal mode and it says that the virus is no longer detected. I then restarted my computer in to normal mode, I re-run the virus scan and was told that my computer was still infected. the infected file is C:PQSC\CPS\000129\FILES\001\000A70.DAT, I am no computer expert and would like to know how i can get rid of this file (or even if i should ?) The Norton anti-virus program has detected this infected file but says (in a dialogue box) that it is unable to quarantine or delete it. Any advice or help will be greatly appreciated, thanks.
|
Have just had an email from a colleague which reads as follows:-
Last week my PC was infected by a nasty worm virus and I spent all the necessary time getting rid of it and re-installing my Windows programme (twice). I have discovered an ingenious way of making sure I never get caught unawares again and wanted to share it with you. Here is a computer trick today that's really ingenious in its simplicity. As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates. This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the worm has gotten into your system. Here's what you do: first, open your address book and click on "new contact", just as you would do if you were adding a new friend to your list of email addresses. In the window where you would type your friend's first name, type in !000 (that's an exclamation mark followed by 3 zeros). In the window below where it prompts you to enter the new email address, type in WormAlert. Then complete everything by clicking add, enter, ok, etc. Now, here's what you've done and why it works: the "name" !000 will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when it tries to send itself to !000, it will be undeliverable because of the bogus email address you entered (WormAlert). If the first attempt fails (which it will because of the phoney address), the worm goes no further and your friends will not be infected. Here's the second great advantage of this method: if an email cannot be delivered, you will be notified of this in your Inbox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it! I hope this helps to save you a lot of time and effort in the future. |
Update'
Finally managed to rid my machine of this virus. I let the virus scanner Identify the infected file. I then took a note of it, rebooted into Safe mode, found the file and manually deleted it. I then re-run the Fix/removal tool in both safe and normal mode. I then run the Norton Virus Scanner in both safe and normal mode ( no more virus detected). I,m not really sure what the file ideleted did, but it was infected, could not be repaired, and so had to go. I think my machine is working ok, still only time will tell.What a day this has been! |
fireflybob, I like your false E-Mail address suggestion.
I have placed it on my machine and assuming it works, its brilliant! Never seen it suggested anywhere else. The only doubt I have, is if a virus is written that will simply work its way through the list come what may, never the less, such a simple solution deserves a fair trial. Thanks. |
You might like to read a little more about this so called "trick" on this URL. Things are never as simple as they seem, are they?
http://antivirus.about.com/library/weekly/aa082801b.htm Cheers. |
I got caught by another virus many months ago even though I had McAfee running and the very latest DAT file.Reformat required and lost a lot of data.
Gave McAfee the "flick" and have had "Nortons" ever since. It has since picked up numerous attempts to infect my machine. I agree with previous posters about McAfee being not up to scratch. |
:) Thanks feret,
I read the link and what seemed a good idear, is perhaps not quite what it seemed. I did note that I suspected it may have limitations, but I suppose if it catches one virus and the address is indeed not regestered to anyone, then it is worthwhile. After all, it costs nothing! Clearly though, up to date anti-virus software cannot be beaten at present. |
| All times are GMT. The time now is 07:55. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.