WARNING: New badtrans variant

[jasonl99]

http://vil.nai.com/vil/virusSummary.asp?virus_k=99069

Executive summary: there's a new strain of this virus that's starting to pop up all over the place. I've seen no less than two dozen attempts in the past two days, where I hadn't seen it at all in the past six months.

At the very least, don't open any attachments with the following filenames:

Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif

---

Thanks for the alert. Stuck to the top for a few days for the benefit of our members.

AnandTech Moderator

 

[Hossenfeffer]

I had this worm emailed to me as well. The antivirus software caught it, but it's semi-nasty in that it executes automatically. Looks like it may try to install a trojan horse that logs keystrokes and attempts to send your ip address back to the author.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.

Check your registry for that key. If it's there, get ye to an anti-virus program.

Symantec's info on the worm

McAfee's info on the worm

 

[Adul]

norton keeps me protected

my mom got that in an e-mail last night,.

 

[BigSmooth]

Thanks for the heads-up jasonl99.

 

[AdamDuritz99]

yah i got that email too.

peace
sean

 

[jobberd]

*.scr is used for screensavers, but what is *.pif?

 

[Scuttle]

<< norton keeps me protected

my mom got that in an e-mail last night,. >>



Norton allows me to sleep safe at night. I have norton run regular checks and scans.

 

[Soccer55]

<< *.scr is used for screensavers, but what is *.pif? >>


.pif is a Program Information File

-Tom

 

[jamison]

Got that email today from an Anandtech member actually...

Maybe he is infected?
It ended in .scr and outlook said it deleted the attachment due to the fact it could cause harm...I deleted the email also.

 

[woodly6]

Thanks, time to check on updates for my NAV 2002.

 

[Hossenfeffer]

One helpful thing is to have your anti-virus program update daily. Easy to do, and helps keep yer 'pooter bug free.

 

[Brutuskend]

linkafied

 

[manser]

I guess I should update my anti virus software from last year.

 

[Bozz]

You should be more aware never to open anything with executable attachments unless you know someone who created the file with the intention of sending it to you.

Avoid these extentions:

scr
vbs
exe
bat
pif

There are others but i can't think of them now

 

[Hossenfeffer]

<< You should be more aware never to open anything with executable attachments unless you know someone who created the file with the intention of sending it to you. >>



This particular worm will open automatically for most people using Microsoft Outlook or Outlook Express. For many people, they'll never have the choice not to open the message. The code runs if you even view the message and will often show with a blank "Re:" subject line.

 

[JellyBaby]

!@#$% this thing caused Outlook 98 to GPF today as it choked during the autopreview of a "Re:" message. The worm didn't bite but since the email was downloaded and positioned at the top of my inbox, Outlook would continually lockup when I launched it.

I had to create a brand new database and figure out how to import everything except unread messages from the old database. This was a major PITA because "personal folders" kept piling up in Outlook. I had to hack the registry and delete loads of keys to fix everything.

 

[ChrichtonsGirl]

I've gotten a couple copies of the Napster-looking e-mail already. I use Outlook, but have it set to never execute unless I give permission, so I got a warning pop-up asking me if I wanted to open or save the file and I was able to delete it immediately.

 

[ugh]

Will the worm do any damage if I'm using Netscape Messenger 4.7?

 

[jamison]

<< This particular worm will open automatically for most people using Microsoft Outlook or Outlook Express. >>



I use outlook express, and when I received the message it was marked as "read" but said it stopped a script from displaying. I then deleted the message.

Also, I checked for that registry key and it isn't there, so I guess I am safe, correct?

 

[MaxDSP]

I got infected with the YOU_are_FAT!TXT.PIF. Funny thing is, I use Outlook Express to sync all 3 of my Hotmail accounts and it downloaded a message sent to my main account containing the trojan. Just to be safe, I logged in to the Hotmail website and Hotmail reported as "No Virus Found" Just to be on the safe side, I scanned the downloaded file with Panda AV Platinum and that also reported no viruses. I occasionally recieve e-mails from people that surf throug my site and this looked like one of those people, and against my better judgement, I executed it. Once doubleclicked, the icon dissapeared and I got extremely suspicious.

A few hours later, I synced my accounts again and my POP3 (non-webbased) account with Earthlink had like 8 messages saying that "my" e-mails were being returned because the contained a virus. Thing that finally got me was when MrCodeDude sent me a reply telling me:

(hope he doesn't mind)



<< Seriously, if you're going to send me a virus, perhaps it shouldn't be titled: stuff.mp3.pif First of all, who would call an mp3 file "stuff" ? You have to be really stupid to open it. I just thought I'd alert you that you have a virus on your system.. Mainly since you sent me an email with the virus attached.
>>



Now I gotta get rid of it. I'll read the rest of the thread now on how to accomplish that
Damnit, I'm losing credibility as a PC geek

 

[minendo]

ok i just got it as images.doc.pif from Mr. A. However I am pretty sure as to where it came from because the subject was RE: Payment for GT3. An item I bought off of a member from anandtech. Damn worms, my AV didnt catch it but it tried to open and download buy I just clicked cancel. So now I am downloading updates and running a full system scan. This is the first worm I have ever gotten.

 

[MaxDSP]

On the McAfee website, it says


<<
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Presence of the file %SysDir%\KERNEL32.EXE
- Email correspondence noting that you've sent them an attachment when you did not.
>>



Of those four, I only had the last one happen. I cannot find any of the other files mentioned. I'm also running Win2K Pro. The only registry key I can find that may relate is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Programs=com exe bat pif cmd

should I delete that line?

 

[wedi42]

i've got 2 infected emails yesterday and 5 today
thats a lot for me considering i usually get 1 or 2 emails a day
i don't recognize any of the senders, i think it's because i used to sell a lot on ebay
i think some of my customers added me to their address book

good ol norton saved me every time
i need to call and warn my mother now

 

[Geekbabe]

<< i've got 2 infected emails yesterday and 5 today
thats a lot for me considering i usually get 1 or 2 emails a day
i don't recognize any of the senders, i think it's because i used to sell a lot on ebay
i think some of my customers added me to their address book

good ol norton saved me every time
i need to call and warn my mother now >>



Thank God for Norton ! I have literally been under siege with these infected emails !

 

[Mitzi]

<< Got that email today from an Anandtech member actually...

Maybe he is infected?
It ended in .scr and outlook said it deleted the attachment due to the fact it could cause harm...I deleted the email also. >>



Me too....Norton didn't get a chance to detect it - I downloaded the latest DAT updates just in case.