Virus Alert (was Death Guard)

Sorry in advance for the HTML, but...

We've had a Virus sent to the list. Rob, could you please set the list to strip attachments?

Everyone, do NOT open the attachment "New_Napster_Site.MP3.pif"

The virus originates from the following email address: mikern@ix.netcom.com. If that email belongs to anyone on this list, please check your computer and run some sort of Anti Virus software.

Details on this virus follow:


--------------------------------------------------------------------------------

>From the Symantec website:

--------------------------------------------------------------------------------


Discovered on: April 11, 2001
Last Updated on: December 10, 2001 at 02:55:25 PM PST

Due to the decreased number of submissions, the threat level for this worm has been downgraded from 4 to 3.
This is a MAPI worm that replies to all unread messages in your email message folders and drops a backdoor Trojan.

NOTE: Virus definitions dated prior to October 22, 2001 detected this as W32.Badtrans.13312@mm.


Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans, I-Worm.Badtrans, TROJ_BADTRANS.A, Pws-AV Trojan, W32.Badtrans.13312@mm, Trojan.Psw.Hooker

Type: Worm

Infection Length: 13312

Virus Definitions: April 11, 2001

Threat Assessment:


Wild:
High Damage:
Medium Distribution:
High


Wild:

a.. Number of infections: 50 - 999
b.. Number of sites: More than 10
c.. Geographical distribution: High
d.. Threat containment: Easy
e.. Removal: Easy
Damage:

a.. Payload:
a.. Large scale e-mailing: It replies to all unread messages in the message folders within the default MAPI email program.
b.. Compromises security settings: It drops a backdoor Trojan.

Technical description:

When the worm is executed, it drops the backdoor Trojan Hkk32.exe into the \Windows folder and executes it. It then copies itself into the \Windows folder as inetd.exe, adds a run= line to the Win.ini file, and displays the following message:



The next time that the computer is restarted, the worm waits for five minutes and then uses MAPI to find all unread email messages and reply to all of them. The worm attaches itself to the message using one of the following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif



Removal instructions:

Because W32.Badtrans.gen@mm affects different operating systems in different ways, how you remove this worm depends on your operating system. Follow the instructions in the order given.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.gen@mm. What you do next depends on whether NAV was able to delete files that it detected as infected with W32.Badtrans.gen@mm:
a.. If NAV was able to delete all the files that it detected as infected, do one of the following:
a.. If you are running Windows 95/98/Me, skip to the section To edit the Win.ini file.
b.. If you are running Windows NT/2000 and NAV was able to delete all the infected files, you are finished.
b.. If NAV was not able to delete all files that it detected as infected, go on to the next section and see the instructions for your operating system.

To remove files that cannot be deleted by NAV:
Follow the instructions for your operating system only if NAV could not delete files that it detected as infected with W32.Badtrans.gen@mm.

a.. Windows 95/98/Me
1. Restart the computer in Safe Mode. For instructions on how to restart in Safe Mode, see the document How to restart Windows 9x or Windows Me in Safe Mode.
2. Run the scan again, and delete any files detected as W32.Badtrans.gen@mm.
3. When the scan is finished, skip to the section To edit the Win.ini file.
a.. Windows NT/2000
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes alphabetically.
5. Scroll through the list and look for inetd.exe. If you find the file, click it and then click End Process.
6. Scroll through the list and look for Kern32.exe. If you find the file, click it and then click End Process.
7. Close the Task Manager.
8. Right-click the My Computer icon on the Windows desktop, and click Explore.
9. Do one of the following:
a.. If you are running Windows NT, click the View menu and click Options.
b.. If you are running Windows 2000, click the Tools menu and click Folder Options.
10. Click the View tab.
11. Do one of the following:
a.. If you are running Windows NT, click "Show all files," uncheck "Hide file extensions for known file types," and then click OK.
b.. If you are running Windows 2000, click "Show hidden files and folders" and uncheck "Hide file extensions for known file types."
12. In the left pane of Windows Explorer, right-click drive C and then click Find (Windows NT) or Search (Windows 2000).
13. In the In the "Named" or "Search for..." box, type--or copy and paste--the following file names:

inetd.exe kern32.exe hkk32.exe hksdll.dll

14. Click Find Now or Search Now.
15. When the search is finished, write down the names and locations of the files that are displayed.
16. Click the Edit menu, and click Select All.
17. Hold down the Shift key down, and press the Delete key. Continue to hold down the Shift key until you are prompted to confirm the deletion. Click Yes. (Holding the Shift key while pressing the Delete key bypasses the Recycle Bin.)
18. Close Windows Explorer.
19. Go on to the section To edit the registry.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce

4. In the right pane, delete the value

Kernel32 KERN32.EXE

5. Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows

6. In the right pane, delete the value

run <path>\Inetd.exe

7. Exit the Registry Editor.
8. Restart the computer.
9. Run the scan again, and delete any files detected as W32.Badtrans.13312@mm. This completes the removal procedure for users of Windows NT/2000.

To edit the Win.ini file:
If you are running Windows 95/98/Me, you must also do the following:
1. Click Start, and click Run.
2. Type the following and then click OK:

edit c:\windows\win.ini

NOTE: If you installed Windows in a different location, make the appropriate substitution.

3. In the [windows] section, locate the run= line. It will look similar to the following:

run=c:\windows\inetd.exe

4. Remove the text to the right of the = sign, so that the line now reads

run=

5. Save your changes, and exit the MS-DOS Editor.


[Non-text portions of this message have been removed]


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.P...SFAA/IMSolB/TM
---------------------------------------------------------------------~->

One fine day in the middle of the night, Chris Beilby
<cbeilby@hroads.net> got up to write:

>Sorry in advance for the HTML, but...
>
>We've had a Virus sent to the list. Rob, could you please set the list to strip
>attachments?

It's already disallowing attachments, according to the settings page.
Sure you have the right list?

--
'Not Colin' McAlister | License to Skrill
Email: demandred@skrill.org | Visit http://www.skrill.org/ today!
-----------------------------+------------------------------------
"Dovie'andi se tovya sagain" - Robert Jordan's Wheel Of Time

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.P...SFAA/IMSolB/TM
---------------------------------------------------------------------~->

----- Original Message -----
From: "Colen 'Skrillboy' McAlister" <demandred@skrill.org>
To: ab@support.wolflair.com
Sent: Thursday, January 03, 2002 6:31 PM
Subject: Re: Virus Alert (was Re: [AB] Death Guard)


> One fine day in the middle of the night, Chris Beilby
> <cbeilby@hroads.net> got up to write:
>
> >Sorry in advance for the HTML, but...
> >
> >We've had a Virus sent to the list. Rob, could you please set the list
to strip
> >attachments?
>
> It's already disallowing attachments, according to the settings page.
> Sure you have the right list?

As far as I could tell, Colen, it came via the list. Unfortunately, I
already deleted the message (standard policy in my case with Viruses,) so I
can't check the headers...


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.P...SFAA/IMSolB/TM
---------------------------------------------------------------------~->