================================================ Subject: Fw: NCR: look out~~! From: ]\\[][G}{T§TÖR]v[ To: Date: Sat 29 Sep 2001 17:01:18 -0400 ================================================ In the same regards, I just received 5 messages from my ISP warning me about jevan@netrover.com (who IS a member of this list, and requested to be removed way back August 19th, and may not know they're infected... so if this is you, WAKE THE HELL UP AND GET A VIRUS SCANNER!!!). This person is infected with the W32/BadTrans@MM virus. FREE ONLINE VIRUS SCANNER AT http://housecall.antivirus.com/... I SUGGEST TRYING IT. ¤]\[][G}{T§TÖR]v[¤ http://www.geocities.com/npicrash NightStorm_Draco_@hotmail.com Admin@AmericanPearlFan.cjb.net NightStorm@isyourgod.cjb.net TROJ_BADTRANS.A ( http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS .A ) Aliases: BADTRANS.A, W32.Badtrans.13312@mm, I-WORM.BADTRANS Description: This memory-resident Internet worm propagates via email clients that use Windows sockets, such as Microsoft Outlook and Outlook Express. It replies to all unread email messages with itself as an attachment. The email sent by the worm has the same subject header and message body as the original email. The name of the sender will be the name of the user who is currently logged on to the infected computer. This worm also modifies WIN.INI so that it is executed at the next re-boot. Solution: Automatic Removal: You may download and apply Trend Micro's fix_badtrans clean tool (http://www.antivirus.com/vinfo/security/fix_badtrans.exe) clean tool to automatically clean your system. Trend Micro recommends that you view the readme_badtrans.txt (http://www.antivirus.com/vinfo/security/readme_badtrans.txt) before downloading and running the fix tool. Manual Removal 1. Click Start|Run, type REGEDIT.EXE and press the Enter key. 2. Press F3 to bring up the search window. 3. In the "Find What" text box, type the following text and then press the Enter key: - KERN32.EXE 4. If the "KERN32.EXE" entry is found, make sure that the status bar at the bottom of the Regedit window reads as follows: - My Computer\HKEY_LOCAL_MACHINE\Software\ - Microsoft\Windows\CurrentVersion\RunOnce 5. Right click the highlighted KERNEL32 text and then delete 6. Close the Regedit window. 7. Click Start|Run, type SYSEDIT and then press the Enter key to open the System Editor window. 8. Within the System Editor window, click the WIN.INI window. 9. In the WIN.INI window, look for and delete the entry, "C:\WINDOWS\INETD.EXE" 10. Save the changes and close the System Editor window. 11. Reboot your system. 12. Scan your system and delete all files detected as TROJ_BADTRANS.A. To do this, Trend customers must download the latest pattern and engine files and scan their system. Other email users may use HouseCall (http://housecall.antivirus.com/), Trend Micro's free online virus scanner. Details: Upon execution, this memor-resident Internet worm displays the following message box: (GO TO http://www.antivirus.com/vinfo/images/troj_badtrans_a.gif TO SEE THE IMAGE) This worm creates a copy of itself, INETD.EXE, in the Windows directory and then drops the files KERN32.EXE and CP_23421.NLS. KERN32.EXE is responsible for replying to unread email by using SMTP commands. The worm has its own engine that uses WSOCK32 functions to reply to unread email. The worm replies to all unread email messages with itself as an attachment. This email has the same subject header and message body as the original email. The name of the sender will be the name of the user who is currently logged on to the infected computer. It also adds an entry "C:\%WINDIR%\INETD.EXE" under the RUN key of WIN.INI file. Where %WINDIR% is the Windows directory. It does this in order to execute at every Windows start up. ----- Original Message ----- From: Agnieszka To: CREED-DISCUSS@WINDUPLIST.COM Sent: Saturday, September 29, 2001 3:49 PM Subject: NCR: look out~~! Hi guys, I received 3 mails with attachments from a guy called Davis (or so)in reply to my posts, I noticed the attachment were .pif, so look out for this and do not open it! Agie To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp