================================================ Subject: Re: NCR - WARNING TO LISTERS - Re: Non-delivery of virus infected e-mail From: To: Date: Thu 11 Oct 2001 12:51:49 +0000 ================================================ yeah, i had another dozen emails in a row from this person...i emailed them, asked them to stop emailing me and to run a virus scan...as if they'll listen! LOL...perhaps i'll email ed and ask him to block that addy or remove them from the list, huh? Lee -- ~~they laugh at us because we're different; we laugh at them because they're all the same~~Drowning Pool ~~Be careful what you learn, sometimes knowing burns~~Virgos Merlot > This is to inform everyone to be on the watch for a virus going around from > one of the Creed listers. I am guessing that this person is unaware that > they are infected, but this does not mean that anyone else here is not at > risk. > The virus going around is the W32/BadTrans@MM virus, and I received it from > the jevan@netrover.com address with the subject line " Re: Re: NCR > Email/browser question ", which leads me to believe that it is for certain > a list member that's infected. > Below is the details on this virus, which can also be viewed at > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS > .A > > TROJ_BADTRANS.A > Risk rating: MEDIUM > Virus type: Trojan > Destructive: No > > Aliases: > BADTRANS.A, W32.Badtrans.13312@mm, I-WORM.BADTRANS > - > Description: > This memory-resident Internet worm propagates via email clients that use > Windows sockets, such as Microsoft Outlook and Outlook Express. It replies > to all unread email messages with itself as an attachment. The email sent by > the worm has the same subject header and message body as the original email. > The name of the sender will be the name of the user who is currently logged > on to the infected computer. This worm also modifies WIN.INI so that it is > executed at the next re-boot. > - > Solution: > Automatic Removal: > You may download and apply Trend Micro's fix_badtrans clean tool ( > http://www.antivirus.com/vinfo/security/fix_badtrans.exe ) clean tool to > automatically clean your system. Trend Micro recommends that you view the > readme_badtrans.txt ( > http://www.antivirus.com/vinfo/security/readme_badtrans.txt ) before > downloading and running the fix tool. > > Manual Removal > 1. Click Start|Run, type REGEDIT.EXE and press the Enter key. > 2. Press F3 to bring up the search window. > 3. In the "Find What" text box, type the following text and then press the > Enter key: > KERN32.EXE > 4. If the "KERN32.EXE" entry is found, make sure that the status bar at > the bottom of the Regedit window reads as follows: > My Computer\HKEY_LOCAL_MACHINE\Software\ > Microsoft\Windows\CurrentVersion\RunOnce > 5. Right click the highlighted KERNEL32 text and then delete > 6. Close the Regedit window. > 7. Click Start|Run, type SYSEDIT and then press the Enter key to open the > System Editor window. > 8. Within the System Editor window, click the WIN.INI window. > 9. In the WIN.INI window, look for and delete the entry, > "C:\WINDOWS\INETD.EXE" > 10. Save the changes and close the System Editor window. > 11. Reboot your system. > 12. your system and delete all files detected as TROJ_BADTRANS.A. To do > this, Trend customers must download the latest pattern and engine files and > scan their system. Other email users may use HouseCall ( > http://housecall.antivirus.com/ ), Trend Micro's free online virus scanner. > - > Details: > Upon execution, this memor-resident Internet worm displays the following > message box: > > [ UNABLE TO DISPLAY IMAGE - AVAILABLE AT > http://www.antivirus.com/vinfo/images/troj_badtrans_a.gif ] > > This worm creates a copy of itself, INETD.EXE, in the Windows directory and > then drops the files KERN32.EXE and CP_23421.NLS. > > KERN32.EXE is responsible for replying to unread email by using SMTP > commands. The worm has its own engine that uses WSOCK32 functions to reply > to unread email. > > The worm replies to all unread email messages with itself as an attachment. > This email has the same subject header and message body as the original > email. The name of the sender will be the name of the user who is currently > logged on to the infected computer. > > It also adds an entry "C:\%WINDIR%\INETD.EXE" under the RUN key of WIN.INI > file. Where %WINDIR% is the Windows directory. It does this in order to > execute at every Windows start up. > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > http://www.winduplist.com/ls/discuss/form.asp To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp