BAD ONE!!!

[johnranger13]

A new variant of Badtrans has been discovered, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to High Risk for Consumers. Many reports have been received from home users that they have become infected. It is believed that failure to update recently has caused this increase in occurrence.

NOTE: I received an email from Italy today with the virus hidden in it; BUT because I had my anti-virus software set to scan any email and email attachments, I was warned and prevented from opening the infected message.

--------------------------------------------------------------------------------

How it works

W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via email in Microsoft Outlook and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in length. The attachment name is created from three sections:

The first part is chosen from the possibilities:

fun Humor

docs

info

Sorry_about_yesterday

Me_nude

Card

SETUP stuff

YOU_are_FAT!

HAMSTER

news_doc

New_Napster_Site README

images

Pics

The second part is chosen from the possibilities:

.DOC.

.MP3.

.ZIP.

and the last part from the possibilities:

pif

scr

This new variant also uses the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch.

What It Can Do

If the attachment is opened, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the Trojan upon system startup. HKLMSOFTWAREMicrosoftWindowsCurrentVersion RunOncekernel32=kern32.exe

Once running, the Trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the Trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

--------------------------------------------------------------------------------

Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.

[MP3Hewer]

Thanks J.D.R.!

[BLoSSoMeD PeTaLL]

yeah thanks !

sExY_eMiNeM_cHiCk12@eminem.com




EMAIL ME!
Naokly Loves Sonya & Sonya Loves Naokly