W32.BadTrans, new variant spreading fast

Automated PC Solutions

VACM - Virus Alerts for the Common Man

W32.BadTrans, new variant spreading fast

The VACM Archive is now online, click here...
To subscribe to VACM, click here...

Greetings from The VACM Team,

In this issue:
------------------------------------
- W32.BadTrans, new variant spreading fast
This is a very nasty one, folks...

***************************************************
* The Bottom Line
***************************************************
BadTrans arrives as an email with an attached PIF or SCR file.

If you use Outlook Express, Netscape Messenger, Internet Mail and
News or Eudora, you are vulnerable. This virus uses the address books
from ALL of these email programs if you get infected!

If you have not done our "HowTo: Disable Hiding Of File Extensions" yet,
YOU WILL NOT SEE the ".PIF" or ".SCR" on the end of the file name.

If you double-click on the attachment, you will get infected and
the virus will mass-mail itself, probably as replies to unread
messages in your inbox.

The worst part:
The email messages it sends have randomly generated subjects and body texts.
They are generated from the contents of document and text files on YOUR
computer! As a result, the emails may contain your confidential information.

The virus sends itself as an email attachment, the name of
which is either the original name of the infected file or a randomly
generated name. It uses one of the following extensions: COM, BAT, PIF and
EXE. Sometimes it also attaches additional GIF, DOC or TXT files to the email.

It will also...
1. Infect .EXE and .SCR (Screensaver) files on your system.
2. Ensure that it starts itself each time you boot your system.

And depending on how much time has elapsed and some other random parameters,
it will do one or more of the following:

1. Overwrite your system's master boot record, making your system unable to boot.
2. Overwrite all files with the string "YOUARESHIT".
3. Display the message "Another haughty bloodsucker.......YOU THINK YOU ARE GOD,
BUT YOU ARE ONLY A CHUNK OF SHIT".
4. Make your Desktop icons appear to "run away" from your mouse cursor.

This virus exploits a vulnerability in Internet Explorer (see below).

Even if you never use Internet Explorer, it is still on your system and
its settings are shared with various email programs. You need to get the
patch for this bug from Microsoft.

If you do not patch Internet Explorer (IE), your system allows files to be
delivered that would automatically execute when the email is opened.

***The speed at which this is spreading indicates that a great
many people have not updated their version of IE. The patches
for this problem have been available from Microsoft since
March of 2001.

*************************************************************
* What You Should Do... do the following in the order shown
*************************************************************
1. Although this is the BadTrans virus, it is a variant. This means
that you should make sure your AntiVirus software is COMPLETELY up
to date today (and every day)!

2. If you have not patched your version of IE (whether you use it or
not), it must be current. See below to find out if you need to patch
IE and where to get the patches.

3. If you have not already done so, go to the VACM Archive page
and do the "HOW TO" article on "Disable Hiding Of File Extensions".
HowTo: Unhide File Extendsions

Why: the BadTrans email comes with a file attachment using the old
hidden file extension trick we've told you about for many months now.
For example, the attachment might look like "FUN.DOC" in your email
program, but is actually "FUN.DOC.PIF" or "FUN.DOC.SCR" which are
executable virus files if you end up double clicking on them.
If you disable hiding of file extensions, you would be able to see
the ".PIF", ".SCR", ".EXE", etc, on the end of the filename and you
would know not to double-click the attachment. You might also want
to read the "Fear No Attachments" article at:
Fear No Attachments

4. Consider doing all the "How To" articles on the VACM Archives page,
including:
HowTo: Remove Windows Scripting Host
HowTo: Turn off your Preview Pane
HowTo: Disalbe Java and ActiveX In Your Email
These are one time changes to settings that will "harden" your system
against email worms and scripts a great deal.

************************************
* Do you need an IE Upgrade?
************************************
Start IE and click Help|About on the menu to see what version and
patches are installed on your system.

Once you know what version you have, check this list:

IE 4.x's status is unknown, probably *not* vulnerable but you should
install IE 5.01 SP2 if you are using that old an IE version.

IE 5.01 prior to SP2 is vulnerable (NOTE: may show as 5.00.3xxxx)
IE 5.01 SP2 is *not* vulnerable (NOTE: may show as 5.00.3xxxx)

IE 5.5 prior to SP2 is vulnerable
IE 5.5 SP2 and above is *not* vulnerable

IE 6.0 is *not* vulnerable (but has other problems. we recommend
using IE Version 5.01 SP2 for the time being. If you already
have 5.5, apply the 5.5 patch or do a full install of IE
version 6.)

*******************************************************
* Get your IE patches and upgrades from Microsoft
*******************************************************
(NOTE: if your email program causes any of the long HTTP addresses below
to wrap to two lines, be sure to copy and paste the ENTIRE address into your
browser manually)

1. Apply latest IE Service Pack for your version (if you need to, based
on the table above):

get IE 5.01 SP2
IE 5.01 SP2 Upgrade

get IE 5.5 SP2
IE 5.5 SP2 Upgrade

THEN...

2. Apply MS01-027 patch...
IE Vulnerability Patch MS01-027

NOTE: You MUST have 5.01SP2 or 5.5SP2 installed prior to
installing this patch!

...OR... If you don't mind upgrading to the somewhat "buggy" and more
privacy-intrusive version 6 of IE...

1. Upgrade to IE 6.0 (follow the Microsoft instructions)
IE version 6 Install

Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions

*** Be sure to check out the appendix at the end of this alert
if you are having trouble booting your computer into "Safe Mode".
The process is all spelled out for you there.

Why should you be very
concerned about Spyware?

Learn how to avoid Identity Theft and Windows corruption in this
free VACM Video:
VACM-tested #1 AntiSpyware Software

How did they steal my Identity?

Why do I get so much SPAM ?

Why is your computer
running so slow ?

Today, every PC needs just a few protection softwares. Find out what and why. Visit our Links Page to avoid Indentiry Theft and costly computer repairs.
VACM Links to Protection Tools and Softwares

Keep your PC Safe and
Avoid a costly trip to the shop...
with these VACM approved tools.

You need 3 things to protect your PC(s) automatically. Use these links to go directly to the Download and Purchase pages:

Old Shotgun Shell Boxes
are collector's items and
worth good money!
(yes... just the empty boxes)

get your
ShotShell BlueBook
price guide
now.

To cancel your subscription to VACM, reply to this email with the word UNSUBSCRIBE in the subject.

If you click on the link below, the "unsubscribe" email will be created for you and you can simply hit "Send" in you email program:

Create My Unsubscribe Email

IMPORTANT: please include the email address at which you are currently receiving VACM Alerts in the body of the message.

******** APPENDIX - Handy How-To Tips **********

* How To Boot into Safe Mode

Shut the computer down so that the power is off.

Turn the computer on, wait 1 second and begin pressing the F8 key
on the keyboard, once every second repeatedly. Do this until
the Windows Startup Menu appears. If you get a keyboard
error, press F1 to resume and then continue pressing the
F8 key once every second, or your PC may tell you to press another key for BIOS setup.

Select Safe Mode from the Windows Startup Menu, then press
the Enter key on the keyboard.

Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.

At the end of the boot process a dialog box will appear
informing you that Windows is in Safe Mode. Click OK on this dialog box.

Windows is now in Safe Mode.

If you miss hitting the F8 at the right time, Windows will boot
normally and you will not see the "Safe Mode" message. In this
case, start from the top of these instructions until you get the
boot menu screen where you can choose "Safe Mode". This can be
a little tricky the first time you do it.

Locations of visitors to this page