Catching it just fine here..... Declude Virus caught a virus with the subject "Re:" from [email protected] to: [email protected].
The Virus name is : W32/Badtrans.B@mm. The filename is Me_nude.MP3.scr. The spool file name is D61ef062.SMD. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Dale Chavez > Sent: Monday, November 26, 2001 7:08 AM > To: Imail Forum > Subject: [IMail Forum] Declude Catch BadTrans Virus? > > > Just received this new virus warning this morning and was wondering if > Declude will indeed catch and quarantine this new one? > > Thanks, > Dale > > +---------------------------------------------------- > > From: [EMAIL PROTECTED] > To: MS Outlook::VirusEye Subscriber > > Subject: BadTrans Virus Alert > Date: 11/26/01 4:55 AM > > Dear VirusEye Alert Subscriber, > > There is a new and dangerous virus in circulation with the key details > as follows: > > - Virus name: BadTrans > > - Official name: W32/BadTrans.B-mm > > - Number of copies seen so far: 11,384 > > - Time & Date first Captured: 23 Nov 2001 18:40:36 GMT > > - Origin of first intercepted copy: UK > > - Number of countries seen active: 34 > > - Top three most active countries: UK, US, Germany > > Distribution Potential: > > MessageLabs are intercepting the BadTrans.B virus at a rate of 100 per > minute and it is one of the fastest spreading viruses we have ever seen. > > The virus is now widespread - we have stopped copies coming from over 30 > countries and it has replaced SirCam at No. 1 in MessageLabs' daily top > 10 which had occupied the No. 1 spot for over 4 months. > > Technical Information: > > Propagation: > > The virus makes use of the ms01-020 exploit, which means that the virus > can execute on reading or previewing the email from within Microsoft > Outlook - it is not necessary to double click on any attachment. > > Subject: > > Subject line is selected from an email in the infected users PC and > prefixed with 'Re: ' > > Attachment: > > Variable - built up from several elements. Examples include: > > S3MSONG.DOC.scr > Pics.DOC.scr > HUMOR.MP3.scr > Sorry_about_yesterday.MP3.pif > README.MP3.scr > ME_NUDE.MP3.scr > fun.MP3.pif > NEWS_DOC.DOC.scr > docs.DOC.pif > images.DOC.pif > HAMSTER.DOC.pif > SEARCHURL.MP3.pif > > Payload: > > The virus also drops a password stealing Trojan KDLL.DLL previously > identified as Trojan.PSW.Hooker. The trojan component uses key logging > to send confidential information (passwords, credit card details etc.) > from infected computers to the email address: > > [EMAIL PROTECTED] > > The trojan component moves itself to the Windows system directory with > the filename KERN32.EXE, drops an additional library (key logger) with > filename HKSDLL.DLL. > > The trojan registers itself in the Registry in RunOnce key: > > HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce > kernel32 = kern32.exe > > Windows loads the trojan file on each restart. > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
