In message 0LHlk+DHySA8Ewu3@jajones.demon.co.uk, Julia Jones julia.lysator@jajones.demon.co.uk writes

At least one Lyst member has been hit by the w32.badtrans.b@mm virus. See http://www.symantic.com for details, but the virus mails a copy of itself to addresses it finds in the victim's address book, using a header from an existing email to make it appear that the infected email is a reply to something you sent the victim. It also installs a Trojan that allows your keystrokes to be logged. I've had several copies of the virus over the last 12 hours, from more than one City member, and to both my FC and Lyst email addresses.

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@m m.html

Given the number of "help, what do I do about this" messages I got *after* I posted that link to Freedom City this morning, I will post the info from the page. There are at least three different people on the B7 mailing lists that I personally have received this virus from, and several others are reported to have it or suspect that they may have it.

Note that this thing plants a keystroke logger trojan - that means that it's collecting information about what you type, to be sent back to its writer. Little things like passwords, credit card details... It's not that destructive of files, but you need to clean it out if you've got it.

It is also *not* just an OE virus - it uses the default MAPI client. OE users are just the most likely to have security holes that can be exploited.

********

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.

Type: Worm

Virus Definitions: November 24, 2001

Threat Assessment:

Wild: Medium Damage: Low Distribution: High

Wild:

Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy Damage:

Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program. Compromises security settings: Installs keystroke logging Trojan.

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS

The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP

The second extension that is appended to the file name is one of the following: .pif .scr

The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kern

el32=kernel32.exe.

Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.

Removal instructions:

1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above.