1. RE: VIRUS ALERT!
- Posted by Derek Parnell <ddparnell at bigpond.com> Apr 26, 2001
- 354 views
Here is some info about the virus that Mike's got... Win32.Badtrans.13312 Badtrans is a worm spreading via e-mail. The worm replies to all unread messages and attaches itself using one of the following 16 names: fun.pif Humor.TXT.pif docs.scr s3msong.MP3.pif Sorry_about_yesterday.DOC.pif Me_nude.AVI.pif Card.pif SETUP.pif searchURL.scr YOU_are_FAT!.TXT.pif hamster.ZIP.scr news_doc.scr New_Napster_Site.DOC.scr README.TXT.pif images.pif Pics.ZIP.scr When a user opens the attachment, the worm copies itself to the Windows directory as: inetd.exe and modifies the file win.ini by including the line executing that program. Additionally, the Badtrans worm, drops a backdoor trojan (Win32.Badtrans.21882 Trojan). The worm creates and executes a 21882-byte file in the Windows System directory: kern32.exe and modifies the registry in order to run it on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe The Trojan, which is in fact a backdoor server also uses its own library: hksdll.dll (a 5632-byte file created in the same directory). ----------- I use VET (www.vet.com.au) as my virus checker and it caught this one before it could do any damage. cheers, Derek Parnell