1. RE: VIRUS ALERT!
Here is some info about the virus that Mike's got...
Win32.Badtrans.13312
Badtrans is a worm spreading via e-mail. The worm replies to all unread
messages
and attaches itself using one of the following 16 names:
fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.scr
README.TXT.pif
images.pif
Pics.ZIP.scr
When a user opens the attachment, the worm copies itself to the Windows
directory
as:
inetd.exe
and modifies the file win.ini by including the line executing that program.
Additionally, the Badtrans worm, drops a backdoor trojan
(Win32.Badtrans.21882
Trojan). The worm creates and executes a 21882-byte file in the Windows
System
directory:
kern32.exe
and modifies the registry in order to run it on the next reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe
The Trojan, which is in fact a backdoor server also uses its own library:
hksdll.dll (a 5632-byte file created in the same directory).
-----------
I use VET (www.vet.com.au) as my virus checker and it caught this one
before it could do any damage.
cheers,
Derek Parnell
