From: owner-believers-digest@smoe.org (believers-digest) To: believers-digest@smoe.org Subject: believers-digest V5 #254 Reply-To: believers@smoe.org Sender: owner-believers-digest@smoe.org Errors-To: owner-believers-digest@smoe.org Precedence: bulk believers-digest Tuesday, November 27 2001 Volume 05 : Number 254 In Today's believer's digest: ----------------- Re: Virus Alert [Dennis Sousa ] Re: Rockford loves Susan Werner... [PBCoustic@aol.com] Latest info on the Badtrans virus [Dennis Sousa ] chuck's post ["john vavrek" ] Re: Latest info on the Badtrans virus [Leslie Dreyer Kalra Subject: Re: Virus Alert I have looked up the descriptions and symptoms that you described. As mentioned by Ron, it is in fact the the W32.Badtrans.b@mm virus. I am enclosing a bit more information, payload and damage that is caused by this virus. The article also has the removal method described by Symantec Anti Virus. (If you don't have the Norton Anti virus program, steps 4 and 5 should be helpful) (It's at the end of this email) Hope this helps. Dennis (Relation to Lori in NH) Note: I am a computer professional for any questions that the group may have in the future. ******************** Leslie Dreyer Kalra wrote: > The filename of the attachment I got was humor.mp3.scr, if that helps. My > mailreader thought it was an audio-wav file, for some reason, I guess > because of the .mp3 part. > > I didn't open the attachment, just looked at the filename. I don't read > e-mail under Windows, anyway. > > leslie > ********************* > On Sat, 24 Nov 2001, Ron Rosen wrote: > > > If you receive(d) a message from me that has an old subject and an attachment, do not > > open it. It is a new worm that I picked up today. It sends old emails with > > attachments. If you got one of these and opened it, scan your computer for infected > > files and follow your virus protection software's instructions for deleting this > > worm. > > > > Here's a link that explains this virus > > http://www.sarc.com/avcenter/venc/data/w32.badtrans.b@mm.html > > > > I think I got rid of mine. Here's what I did: I shut down windows are restarted in > > MS-Dos. From there go to the windows\system or windows\systems directory (i'm not > > sure if Systems is plural or not). In that directory erase a file called > > kernel32.exe. I think that is the offending file. I rescanned using McAfee and it > > did not show as infected after I did this, so I think it might work > > > > HELP! owner-believers@smoe.org Send mail to believers@smoe.org > > Susan's CD's are available on your desktop at World Cafe CDs > > http://worldcafecds.com > > HELP! owner-believers@smoe.org Send mail to believers@smoe.org > Susan's CD's are available on your desktop at World Cafe CDs > http://worldcafecds.com ***************************************************** W32.Badtrans.B@mm Discovered on: November 24, 2001 Last Updated on: November 24, 2001 at 12:19:48 PM PST W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes. Type: Worm Virus Definitions: November 24, 2001 Threat Assessment: Wild: Medium Damage: Low Distribution: High Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy Damage: Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program. Compromises security settings: Installs keystroke logging Trojan. Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR HUMOR.MP3.SCR etc. When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe. Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Badtrans.B@mm. 5. Remove the registry value listed above. Write-up by: Patrick Martin (Symantec) HELP! owner-believers@smoe.org Send mail to believers@smoe.org Susan's CD's are available on your desktop at World Cafe CDs http://worldcafecds.com ------------------------------ Date: Mon, 26 Nov 2001 12:51:07 EST From: PBCoustic@aol.com Subject: Re: Rockford loves Susan Werner... The Rockford show was very cool, indeed.... Chuck and others, I apologize for not arranging to hook up beforehand to meet, but Suzie Tee and I were there in the front row, left side, prepared to catch any notes that Susan dropped and kick 'em back into play... I took a few "natural light" camera pics that I'll post somewhere when I get home... Memorial Hall is a very cool venue... During several of the songs, Susan was literally STOMPING her foot onto the stage, creating this huge, booming percussion accompaniment to her tunes... very effective... And the overall sound quality was excellent, and as usual, she was right on.... with a couple great new tunes as well... and the finale of "La Vie" was one that my friend Suzie had never heard her do live, and as soon as Susan started singing it, she GRABBED my arm, sinking fingernails at LEAST two inches deep into my bicep.... (but it was a good hurt) We got a chance to chat some with her afterwards ("now wait a minute... you're here all the way from Texas, and you're here from Michigan??? Great!"), and even offered to be her "roadies" since Jane wasn't there, but she declined... And as we left the venue, there were a couple cars out on the street booming with rap music(?), and we both stopped and said, "Let's go back inside where the REAL music is...."... but continued to the car... An excellent night... Suze, you are something else!!! Paul HELP! owner-believers@smoe.org Send mail to believers@smoe.org Susan's CD's are available on your desktop at World Cafe CDs http://worldcafecds.com ------------------------------ Date: Mon, 26 Nov 2001 15:25:26 -0500 From: Dennis Sousa Subject: Latest info on the Badtrans virus There is a new variant of this virus you all should be aware of. It is unknown what virus that Ron (without his consent, obviously) transmitted. (Sorry Ron, I know it's not your fault and appreciate the "heads up" that you sent to the list!) There is a patch from Microsoft that will take care of this and it is listed in the email that I have enclosed below. Thanks, Dennis (related to Lori in NH) Hope this is helpful DS Badtrans worm leaves backdoors, logs data By Sam Costello November 26, 2001 9:42 am PT A NEW VARIANT of a mass-mailer Internet worm that installs a backdoor program which can allow attackers to access recipients' computers was spreading on the Internet Monday, according to virus alerts from a number of anti-virus companies. The worm, called Badtrans.B, is a new variant of the older Badtrans virus, according to anti-virus companies. The variant is executed when a user opens an infected e-mail and does not require a user to click on an attachment, as many mass mailer worms do, according to Activis and TruSecure virus alerts. The worm exploits a security vulnerability in Microsoft's Outlook and Outlook Express e-mail clients to automatically execute the attachment when the e-mail is opened, they said. Badtrans is even more devious in that it arrives in the recipient's in-box with a "Re:" subject line to an e-mail actually sent by the user, according to McAfee.com and TruSecure. There is some disagreement, however, as to what happens after the worm is executed. According to TruSecure and Network Associates, the parent company of McAfee.com, the worm will send itself to all e-mail addresses listed in unread messages in the victim system's inbox. Activis, however, contends that the worm sends itself to all addresses listed in the user's address book, much like other mass mailers. What happens next isn't in doubt, however, as all companies agree that the worm then installs a Trojan horse, or backdoor, program that will allow an attacker to gain access to the infected computer and then attempts to sends the IP address of the infected machine to the worm's author. After execution, Badtrans also runs a keylogger program that can record all data entered via the keyboard, including passwords, credit card numbers, and other personal information, according to Activis and McAfee.com. The data gathered by the keylogger is saved in encrypted form on the system's hard drive, they said. The worm will appear in e-mail boxes with either no text in the body of the message or some of the original message's text, the companies said. The attachments included with the worm will appear to be .MP3, .DOC, or .ZIP files, but are actually double extension files with .SCR or .PIF extensions, the companies said. These attachments are 13,312 bytes in length, according to Network Associates. The companies recommended that users update their anti-virus software immediately and that companies block the transfer of attached files at their e-mail gateways. Users are also urged to apply the patch to close the security hole that the worm exploits. The patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp. HELP! owner-believers@smoe.org Send mail to believers@smoe.org Susan's CD's are available on your desktop at World Cafe CDs http://worldcafecds.com ------------------------------ Date: Mon, 26 Nov 2001 18:42:29 -0800 From: "john vavrek" Subject: chuck's post thank you Chuck, for a well-reported show! now, if i could get a few reports like that every season, i wouldn't get quite so Werner-starved! i know how much fun it is to take a new person to hear Susan, but on a night like you described, it must be especially exhilarating. someone mentioned Susan recording a show for Mountain Stage, or some such program. anybody have any new to share on that? i haven't seen anything listed on the usual websites. ta ta john HELP! owner-believers@smoe.org Send mail to believers@smoe.org Susan's CD's are available on your desktop at World Cafe CDs http://worldcafecds.com ------------------------------ Date: Mon, 26 Nov 2001 22:08:37 -0500 (EST) From: Leslie Dreyer Kalra Subject: Re: Latest info on the Badtrans virus Thanks for the info Dennis! I think one of the best ways to avoid being infected by viruses like these (if you're cautious about attachments) is to use something other than Outlook [Express] to read e-mail. It's a big, buggy target, and there are lots of free alternatives out there (Netscape and Eudora are two that come immediately to mind). I think Outlook Express is the only mailreader that will automatically run an attachment like that. I think it's possible to turn that off, if I remember correctly, but I haven't a clue how, since I've never used Outlook. It's pretty dopey default behavior in the current climate, isn't it? An even better way to avoid most viruses (not all) is to use some operating system other than Windows, but that's not realistic for most of us...:) Maybe someday we'll overthrow the Microsoft world, but that's a discussion for a different list... And now back to your regularly scheduled programming... leslie Certified Unix-Head (also a computer professional, though currently on the shelf :) HELP! owner-believers@smoe.org Send mail to believers@smoe.org Susan's CD's are available on your desktop at World Cafe CDs http://worldcafecds.com ------------------------------ End of believers-digest V5 #254 ******************************* --------------------------------------------------------------------------------------------------- -------------------------- This has been a posting from the Susan Werner believers-digest To unsubscribe send mail to Majordomo@smoe.org with "unsubscribe believers-digest" in the body of the message