================================================ Subject: Re: Fw: NCR: look out~~! From: To: Date: Mon 1 Oct 2001 17:05:18 +0000 ================================================ i had like a hundred of those things in my mailbox this morning! i deleted them all, even before i saw agie's warning, and yours...and what is a .pif anyhow? i don't ever recall seeing that extension before... Lee -- ~~they laugh at us because we're different; we laugh at them because they're all the same~~Drowning Pool ~~Be careful what you learn, sometimes knowing burns~~Virgos Merlot > In the same regards, I just received 5 messages from my ISP warning me about > jevan@netrover.com (who IS a member of this list, and requested to be > removed way back August 19th, and may not know they're infected... so if > this is you, WAKE THE HELL UP AND GET A VIRUS SCANNER!!!). > This person is infected with the W32/BadTrans@MM virus. > FREE ONLINE VIRUS SCANNER AT http://housecall.antivirus.com/... I SUGGEST > TRYING IT. > > ¤]\[][G}{T§TÖR]v[¤ > http://www.geocities.com/npicrash > NightStorm_Draco_@hotmail.com > Admin@AmericanPearlFan.cjb.net > NightStorm@isyourgod.cjb.net > > > TROJ_BADTRANS.A > ( > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS > .A ) > > Aliases: > BADTRANS.A, W32.Badtrans.13312@mm, I-WORM.BADTRANS > > Description: > This memory-resident Internet worm propagates via email clients that use > Windows sockets, such as Microsoft Outlook and Outlook Express. It replies > to all unread email messages with itself as an attachment. The email sent by > the worm has the same subject header and message body as the original email. > The name of the sender will be the name of the user who is currently logged > on to the infected computer. This worm also modifies WIN.INI so that it is > executed at the next re-boot. > > Solution: > > Automatic Removal: > You may download and apply Trend Micro's fix_badtrans clean tool > (http://www.antivirus.com/vinfo/security/fix_badtrans.exe) clean tool to > automatically clean your system. Trend Micro recommends that you view the > readme_badtrans.txt > (http://www.antivirus.com/vinfo/security/readme_badtrans.txt) before > downloading and running the fix tool. > > Manual Removal > 1. Click Start|Run, type REGEDIT.EXE and press the Enter key. > 2. Press F3 to bring up the search window. > 3. In the "Find What" text box, type the following text and then press the > Enter key: > - KERN32.EXE > 4. If the "KERN32.EXE" entry is found, make sure that the status bar at the > bottom of the Regedit window reads as follows: > - My Computer\HKEY_LOCAL_MACHINE\Software\ > - Microsoft\Windows\CurrentVersion\RunOnce > 5. Right click the highlighted KERNEL32 text and then delete > 6. Close the Regedit window. > 7. Click Start|Run, type SYSEDIT and then press the Enter key to open the > System Editor window. > 8. Within the System Editor window, click the WIN.INI window. > 9. In the WIN.INI window, look for and delete the entry, > "C:\WINDOWS\INETD.EXE" > 10. Save the changes and close the System Editor window. > 11. Reboot your system. > 12. Scan your system and delete all files detected as TROJ_BADTRANS.A. To do > this, Trend customers must download the latest pattern and engine files and > scan their system. Other email users may use HouseCall > (http://housecall.antivirus.com/), Trend Micro's free online virus scanner. > > Details: > Upon execution, this memor-resident Internet worm displays the following > message box: > (GO TO http://www.antivirus.com/vinfo/images/troj_badtrans_a.gif TO SEE THE > IMAGE) > This worm creates a copy of itself, INETD.EXE, in the Windows directory and > then drops the files KERN32.EXE and CP_23421.NLS. > KERN32.EXE is responsible for replying to unread email by using SMTP > commands. The worm has its own engine that uses WSOCK32 functions to reply > to unread email. > The worm replies to all unread email messages with itself as an attachment. > This email has the same subject header and message body as the original > email. The name of the sender will be the name of the user who is currently > logged on to the infected computer. > It also adds an entry "C:\%WINDIR%\INETD.EXE" under the RUN key of WIN.INI > file. Where %WINDIR% is the Windows directory. It does this in order to > execute at every Windows start up. > > ----- Original Message ----- > From: Agnieszka > To: CREED-DISCUSS@WINDUPLIST.COM > Sent: Saturday, September 29, 2001 3:49 PM > Subject: NCR: look out~~! > > > Hi guys, I received 3 mails with attachments from a guy called Davis (or > so)in reply to my posts, I noticed the attachment were .pif, so look out for > this and do not open it! > > Agie > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > http://www.winduplist.com/ls/discuss/form.asp To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp