Just FYI. -Chris
---------- Forwarded message ---------- Date: Tue, 27 Nov 2001 11:56:05 -0800 (PST) From: Milton Takei <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: Listowners listserv <[EMAIL PROTECTED]> Subject: Stripping attachments To the listowners list: Does anybody on this list know the listproc command to strip attachments, as suggested in the message below? --Milton Takei ---------- Forwarded message ---------- Date: Tue, 27 Nov 2001 10:33:14 -0500 From: Ishgooda <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]/TROJAN ALERT I have receivedsixcopies of this virus in the past three days. It appears to change the email address to another address in the infected person's address book (ex. "[EMAIL PROTECTED]" will read "[EMAIL PROTECTED]" and actually sent from a verizon account). This makes it extremely difficult to back track an infected sender as routers don't support the fact it comes from the address shown. It appears to arrive as an embedded file rather than an attachment. For those using hotmail, this means you "may" infect yourself simply by viewing it. For those of you who are listowners..set your list to strip attachments and permit text files only. Check your system under "help" in order to learn how to disable MAPI. In Eudora go to Tools/Options/MAPI and check the box to disable it. If you have any problems this can be re-enabled in the same settings area. In light of the recent developments from the FBI, a newly developed trojan called Magic Lantern under the Cyber Knights program, this trojan functions very similarly. Ishgooda thanks to Jordan for the following link and info: W32.Badtrans.B@mm http:[EMAIL PROTECTED] Discovered on: November 24, 2001 Last Updated on: November 26, 2001 at 12:46:58 PM PST Due to the increased rate of submissions, we have updated the threat level of this worm from level 3 to level 4. W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also creates a DLL in \Windows\System directory as Kdll.dll. It uses functions from this DLL to log keystrokes. Type: Worm Virus Definitions: November 24, 2001 Threat Assessment: Wild: High Damage: Low Distribution: High Wild: Number of infections: More than 1000 Number of sites: 3 - 9 Geographical distribution: Low Threat containment: Easy Removal: Easy Damage: Payload: Large scale e-mailing: Uses MAPI commands to send email. Compromises security settings: Installs keystroke logging Trojan horse. Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc. When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe. Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted. Removal instructions: http://securityresponse.symantec.com/avcenter/refa.html#removal 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above.