Just FYI.
-Chris
---------- Forwarded message ----------
Date: Tue, 27 Nov 2001 11:56:05 -0800 (PST)
From: Milton Takei <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Listowners listserv <[EMAIL PROTECTED]>
Subject: Stripping attachments
To the listowners list:
Does anybody on this list know the listproc command to strip
attachments, as suggested in the message below?
--Milton Takei
---------- Forwarded message ----------
Date: Tue, 27 Nov 2001 10:33:14 -0500
From: Ishgooda <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]/TROJAN ALERT
I have receivedsixcopies of this virus in the past three days. It appears
to change the email address to another address in the infected person's
address book (ex. "[EMAIL PROTECTED]" will read "[EMAIL PROTECTED]" and
actually sent from a verizon account). This makes it extremely difficult
to back track an infected sender as routers don't support the fact it
comes from the address shown.
It appears to arrive as an embedded file rather than an attachment. For
those using hotmail, this means you "may" infect yourself simply by
viewing it. For those of you who are listowners..set your list to strip
attachments and permit text files only.
Check your system under "help" in order to learn how to disable MAPI. In
Eudora go to Tools/Options/MAPI and check the box to disable it. If you
have any problems this can be re-enabled in the same settings area.
In light of the recent developments from the FBI, a newly developed trojan
called Magic Lantern under the Cyber Knights program, this trojan
functions very similarly. Ishgooda thanks to Jordan for the following link
and info:
W32.Badtrans.B@mm
http:[EMAIL PROTECTED]
Discovered on: November 24, 2001
Last Updated on: November 26, 2001 at 12:46:58 PM PST
Due to the increased rate of submissions, we have updated the threat
level of this worm from level 3 to level 4.
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of
several different file names. This worm
also creates a DLL in \Windows\System directory as Kdll.dll. It uses
functions from this DLL to log keystrokes.
Type: Worm
Virus Definitions: November 24, 2001
Threat Assessment:
Wild:
High
Damage:
Low
Distribution:
High
Wild:
Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging
Trojan horse.
Technical description:
This worm arrives as an email with one of several attachment names and a combination
of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the
"\windows\system" directory. It then adds the
following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that
have attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches
the names listed above. Any email that has
such an attachment should be deleted.
Removal instructions:
http://securityresponse.symantec.com/avcenter/refa.html#removal
1. Run LiveUpdate to make sure that you have the most recent
virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is
configured to scan all files. For instructions on
how to do this, read the document How to configure Norton
AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
5. Remove the registry value listed above.
