The e-mail in question was generated by a new virus/worm only discovered
yesterday.  The information on this virus/worm can be found at
http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html  We seem
to be early infectees and now infectors.
The virus/worm  apparently resides in the attachments and when opened it
goes into the e-mail system and automatically sends itself to randomly
selected addresses.

From Symantec's security reponse page:
 
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.  

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS

The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP

The second extension that is appended to the file name is one of the following:
.pif
.scr

The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.

----- Original Message -----
From: Shiu M. Hung
To: Alliance
Sent: Sunday, November 25, 2001 5:10 PM
Subject: [alliance] virus

Hi everyone,
 
I just thought i better give everyone on this list a forewarning.  I have received 2 messages today from Carol Spooner that had viruses attached and have confirmed with Carol herself that she did not send them.  She stated someone else is using her email address to carry out this dirty tricks.
 
Shiu
---
---





Get your FREE download of MSN Explorer at http://explorer.msn.com