Hey everyone,

It appears that someone on this list may be infected with the BadTrans.B
virus. For those who aren't aware, this fun malware replies to unread
messages in an infected user's Inbox with it's lovely little attachment.
A couple of obvious signs that you're receiving a BadTrans message are
that the return address has an underscore "_" in front of it and the
attachment name is usually one of the following (may be all in lowercase
or all in caps):
stuff.MP3.pif
info.DOC.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
HAMSTER.DOC.pif
ME_NUDE.MP3.scr
fun.MP3.pif
NEWS_DOC.DOC.scr
images.DOC.pif
HUMOR.MP3.scr
New_Napster_Site.MP3.pif
DOCS.DOC.pif
README.MP3.scr
Sorry_about_yesterday.MP3.pif
PICS.DOC.scr
SETUP.DOC.scr
YOU_ARE_FAT!.MP3.scr
CARD.DOC.pif

And to make things even better, it also exploits our good friend the
Iframe vulnerability from MS01-020 (you are all patched, right?).

For more info, try one of these fine sources of information (and some
cleaning utilities for the less fortunate):
http://www.europe.f-secure.com/v-descs/badtrans.shtml
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS.D
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.13312mm.html
http://www.sophos.com/virusinfo/analyses/w32badtransb.html
http://www.ealaddin.com/home/csrt/analysis.asp?virus_no=10093&cf=tl
http://www.viruslist.com/eng/viruslist.asp?id=4310&key=00001000130000100112

And just for good measure:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]