================================================ Subject: NCR - WARNING TO LISTERS - Re: Non-delivery of virus infected e-mail From: "]\\[][G}{T§TÖ®]v[" To: Date: Wed 10 Oct 2001 23:22:25 -0400 ================================================ This is to inform everyone to be on the watch for a virus going around from one of the Creed listers. I am guessing that this person is unaware that they are infected, but this does not mean that anyone else here is not at risk. The virus going around is the W32/BadTrans@MM virus, and I received it from the jevan@netrover.com address with the subject line " Re: Re: NCR Email/browser question ", which leads me to believe that it is for certain a list member that's infected. Below is the details on this virus, which can also be viewed at http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS .A TROJ_BADTRANS.A Risk rating: MEDIUM Virus type: Trojan Destructive: No Aliases: BADTRANS.A, W32.Badtrans.13312@mm, I-WORM.BADTRANS - Description: This memory-resident Internet worm propagates via email clients that use Windows sockets, such as Microsoft Outlook and Outlook Express. It replies to all unread email messages with itself as an attachment. The email sent by the worm has the same subject header and message body as the original email. The name of the sender will be the name of the user who is currently logged on to the infected computer. This worm also modifies WIN.INI so that it is executed at the next re-boot. - Solution: Automatic Removal: You may download and apply Trend Micro's fix_badtrans clean tool ( http://www.antivirus.com/vinfo/security/fix_badtrans.exe ) clean tool to automatically clean your system. Trend Micro recommends that you view the readme_badtrans.txt ( http://www.antivirus.com/vinfo/security/readme_badtrans.txt ) before downloading and running the fix tool. Manual Removal 1. Click Start|Run, type REGEDIT.EXE and press the Enter key. 2. Press F3 to bring up the search window. 3. In the "Find What" text box, type the following text and then press the Enter key: KERN32.EXE 4. If the "KERN32.EXE" entry is found, make sure that the status bar at the bottom of the Regedit window reads as follows: My Computer\HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\RunOnce 5. Right click the highlighted KERNEL32 text and then delete 6. Close the Regedit window. 7. Click Start|Run, type SYSEDIT and then press the Enter key to open the System Editor window. 8. Within the System Editor window, click the WIN.INI window. 9. In the WIN.INI window, look for and delete the entry, "C:\WINDOWS\INETD.EXE" 10. Save the changes and close the System Editor window. 11. Reboot your system. 12. your system and delete all files detected as TROJ_BADTRANS.A. To do this, Trend customers must download the latest pattern and engine files and scan their system. Other email users may use HouseCall ( http://housecall.antivirus.com/ ), Trend Micro's free online virus scanner. - Details: Upon execution, this memor-resident Internet worm displays the following message box: [ UNABLE TO DISPLAY IMAGE - AVAILABLE AT http://www.antivirus.com/vinfo/images/troj_badtrans_a.gif ] This worm creates a copy of itself, INETD.EXE, in the Windows directory and then drops the files KERN32.EXE and CP_23421.NLS. KERN32.EXE is responsible for replying to unread email by using SMTP commands. The worm has its own engine that uses WSOCK32 functions to reply to unread email. The worm replies to all unread email messages with itself as an attachment. This email has the same subject header and message body as the original email. The name of the sender will be the name of the user who is currently logged on to the infected computer. It also adds an entry "C:\%WINDIR%\INETD.EXE" under the RUN key of WIN.INI file. Where %WINDIR% is the Windows directory. It does this in order to execute at every Windows start up. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp