Watch out for this one, it hit me already. I have 3 copies sitting in my Inbox right now, and undoubtedly more to come...

W32/Badtrans@MM (http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607) is the McAffee write up, the Symantec write up is Here (http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html)

I goofed, I didn't look close enough at the Message Source when looking up spammers, and opened this one. I haven't tried to reboot yet, but will shortly and will probably be removing yet another trojan. GRRRRRR....

This trojan was discovered 11/24 so make sure and UPDATE YOUR DAT FILES before checking your e-mail. McAffee has already written this one into the newest DAT files, Norton probably has too.

Watch out for this one, it opens and runs automatically if you open the e-mail message it is attached to. Open Windows Explorer and go to View\Folder Options, click the View tab and make sure the Hide extensions for known file types box is UNCHECKED and also Show all files should be CHECKED.

In Outlook Express right click on each e-mail message that contains an attachment and click Properties. In the Properties box click the Details tab then Message Source at bottom. Maximize this window and read it closely, if the e-mail has an attachment you will find a section that is similar to:
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="info.DOC.scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

This is copied directly from one of the e-mails I received. Note the dual extension (bold text.) That is always an indication of a virus or trojan. If you see something similar to the above, DO NOT open the email message.

If you're using Netscape or Eudora I can't help with procedures, I use neither. The McAffee page has removal instructions, I'm sure the Symantec page does too, I didn't look, they're usually very good at posting detailed information.

I hope none of our visitors have problems with this one, knowing full well that is a futile hope...some of them will be infected anyway, as past experience has shown me.

Please be wary of this one, I may be reinstalling later today because of it. I planned to do that anyway, but wasn't expecting to do it right away... http://www.PCGuide.com/ubb/eek.gif

------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

Pete,

In WinMe in Windows Explorer it is found under TOOLS/Folder Options/View rather than under VIEW.

Perhaps with the current recession these "get-a-life's" with far too much time on their hands will be forced to get job and make themselves useful! http://www.PCGuide.com/ubb/biggrin.gif

------------------
May all your dealings in life be win/win!

Whyzman

I goofed, I didn't look close enough at the Message Source when looking up spammers, and opened this one. I haven't tried to reboot yet, but will shortly and will probably be removing yet another trojan. GRRRRRR

Even the biggest gurus mess up sometimes.
http://www.PCGuide.com/ubb/biggrin.gif

------------------
Sledgehammer will save the day!

Pete
I Heard on the radio today about this virus. What was said on radio was that YOU DO NOT HAVE TO OPEN IT. ALL YOU HAVE TO DO IS TO VIEW IT. Sorry for shouting but I felt that it was important enough to do so. And I sincerly hope the web guru was\is wrong about that. He said that the BBC (He works for BBC radio) had stopped him recieving 10 mails with this virus today.

------------------
Ernie

1. If just viewing messages can energise this worm then is it worth reminding OE users to go to the "View" Menu - select "Layout" - Then Uncheck the "Show Preview Pane" Box and click "Apply"?

2. Should the "Hide Protected Operating System Files (Recommended)" Box be cleared as well as selecting the "Show Hidden Files and Folders"? I only recently discovered this on ME having not seen it on W98se.

3. Vic has had major probs with this worm see http://www.pcguide.com/ubb/Forum2/HTML/002429.html

Take Care
Paul

[This message has been edited by Paul Komski (edited 11-28-2001).]

I have recieved this:


:

"Inishowen Computer Systems Ltd" <_icsltd@eircom.net>
To :

sea1_69@hotmail.com
Subject :

Re:
Date :

Wed, 28 Nov 2001 16:20:44 +0000
Attachment : SETUP.DOC.scr </cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006964806.52&start=728291&len=40547&mimepart=4&vscan=scan> (38k), text5.txt </cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006964806.52&start=728291&len=40547&mimepart=5&vscan=scan> (0b)


_icsltd@eircom.net

and :

sea1_69@hotmail.com

Top of Form 1
Save Address(es) </cgi-bin/domsgaddresses?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006771492.0&start=649452&len=40584&action=Modify&msg=MSG1006771492.0> Block </cgi-bin/kill?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006771492.0&start=649452&len=40584&from=getmsg&addr=_spottyballs@paradise.net.nz> Previous <http://pv2fd.pav2.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=&start=&len=&mfs=783&cmd=prev&lastmsgid=MSG1006771492.0&msgread=&wcid =&soid=> Next <http://pv2fd.pav2.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=&start=&len=&mfs=783&cmd=next&lastmsgid=MSG1006771492.0&msgread=&wcid =&soid=> | Close <http://pv2fd.pav2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006771492.0>

From :
"Vaughan Reynolds" <_spottyballs@paradise.net.nz>
To :
sea1_69@hotmail.com
Subject :
Re:
Date :
Mon, 26 Nov 2001 23:42:40 +1300 (NZDT)
Attachment : New_Napster_Site.MP3.pif </cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006771492.0&start=649452&len=40584&mimepart=4&vscan=scan> (38k), text5.txt </cgi-bin/getmsg?curmbox=F000000001&a=ca2f83a7ca0e1d388ffeed61e027161a&msg=MSG1006771492.0&start=649452&len=40584&mimepart=5&vscan=scan> (0b)
Bottom of Form 1

_spottyballs@paradise.net.nz


so BE ADVISED if this is you, you are infected.. as it has been passed on to me..

(I am not infected)

http://www.PCGuide.com/ubb/wink.gif

note: PLEASE give me 15 minutes to edit!


sorry this has made the page so messed up looking**

thought in case they didn't know, that they should

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

[This message has been edited by sea69 (edited 11-29-2001).]

If you upgrade your browser to IE 5.5 (service pack 2) or IE 6 the security loophole which allows this virus to execute automatically is closed.

Instead, you will be prompted with a warning and be given the option to either save the file to disk or open it. Don't do either of course, but simply click cancel and then delete the email.

Upgrading will also offer protection to similar worms such as Nimda and Sircam

------------------
Up every evening 'bout half eight or nine,

I give my complete attention to a very good friend of mine.

ummmmmmmmmm....... can I keep IE 5.01 and just apply the security patch ??



------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)


;)~

sea: Inishowen Computer Systems Ltd
I received one from this same email address. I'm not on my computer right now, so I can't give you the originating ISP, but when I get back on mine I have the email that I sent the ISP and can give you their address.

By the way, I found out the hard way you do not have to open the attachment, just view the email, that's how I found out what it was. I didn't notice the attachment until after it tried o activate, then looked a bit closer. I thought it was a typical spam message and tried to forward it. It opened and tried to run when I did so. I got lucky, it wasn't able to install for some reason, but it sure tried. I checked, nothing in the registry, none of the files it installs are present, nothing in win.ini or system.ini.

This is a bad one, I've received 4 copies so far and probably have a couple waiting on me right now, since I haven't checked email on this machine. I gave up on trying to forward them to their ISPs, since it opens and runs I try to send the ISP a standard email message and copy the HTML and attachment info from the Details/View Message Source screens.

Folks, be very careful, this one runs and installs itself just from opening the email, you do NOT have to run the attachment.

ErnieK: Don't worry about the caps, sometimes it's advisable to use that format to get a point across, and most of us understand that. In such a case we rarely get upset about someone "shouting". I do the same occasionally if I want to make sure I get a point across.

------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

I would very much appreciate that Pete!

I got these in my hotmail, so I cannot get the headers or originating IP addy ....probably spoofed thru 10 anonymous proxies. Maybe we can get together and pull his plug!


http://www.PCGuide.com/ubb/eek.gif

http://www.PCGuide.com/ubb/mad.gif

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

[This message has been edited by sea69 (edited 11-30-2001).]

Hi there guys
As has been said this is a very worrying virus. Don't know if the following will help you, but what I am doing is downloading my mail in OE (5.1) then closing OE down going of line and running V scan then read my mail. I know it will not work with hot mail but it is at least a small extra safeguard. Bit of an overkill maybe but better safe than having raised blood pressure. http://www.PCGuide.com/ubb/smile.gif
Also for Gods sake everyone get an upto date Virus scanner. nearly all brands now have fix for this monstrosity.

------------------
Ernie

Ernie; I believe it is OK to use OE as long as you don't view or PREVIEW (see my post above) the message with an attachment - perhaps someone can confirm this.

This is a cunning worm! I've just discovered that it inhibits you posting back and warning the source by prefixing an underscore before the email address. So in New Message you must actually type-in the eMail Address and not use the Address Book entry or use Reply to Sender.

I've luckily escaped this one (so far!) but 4 of my friends haven't! and its nearly a full-time job getting them "scrubbed clean".

Best Wishes All. http://www.PCGuide.com/ubb/tongue.gif

[This message has been edited by Paul Komski (edited 11-30-2001).]

I think I must have been one of the first to get it, and it looks like sea69 may have got it from mine, I got a return to sender with his address on it (sorry sea !)

it seems to have back tracked through old addresses recieved and/or links.

Pete, you e-mailed me months ago I bel it mayhave backtracked to you.
-------------------------

I updated my Mcafee on Friday, but it didn't[/b} pick up the virus at weekend, nor did Panda (on the PC Pitstop site) PC Cillin wouldn't update (one of the actions of the virus)

Command A/V found it, there is a link on my post http://www.pcguide.com/ubb/Forum2/HTML/002429.html where you can get a free scan & the info to get rid of it if you have it.

I can't be sure at the moment if or what it has done to my system, so I propose to try several more scans, then try to repair Office, IE6 & re-set my ISP accounts. then see what works, or doesn't.

the problem I had with clicking on the PC Guide reply notification seems to have dissapeared.

I will Possibly even re format at (hopefully) a later stage.

[b]advice update your anti virus
do several online scans (Diff A/Vs)
obviously do not open attachments

also look in Windows/System for KERNEL32.EXE & kdll.dll

if they are there, delete them in SAFE MODE plus there will be an entry in registry (kernel32.exe) which you must remove as well.

I noticed a post about a Virus Forum, didn't have time to read it, but I think I will now. It may not be a bad idea !!

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

[This message has been edited by Vic 970 (edited 11-30-2001).]

This freeware (HouseCall) is available at http://housecall.antivirus.com/housecall/start_corp.asp and has got BadTransB in its register, for anyone devoid of (or having trouble updating) installed anti-virus software.
AND
This freeware (Panda BadTransB Removal Utility) is available at http://download.cnet.com/downloads/0-10093-100-8004944.html?tag=st.dl.10093-1 06-1.lst-0-6.8004944 (http://download.cnet.com/downloads/0-10093-100-8004944.html?tag=st.dl.10093-106-1.lst-0-6.8004944)
but I have no idea how effective it is.

I believe this worm selects from messages randomly but only selects from emails that have not been 'replied-to/or are unread' - so I guess the 0000 trick wont stop it propagating! Its a real bad b--ch. http://www.PCGuide.com/ubb/mad.gif http://www.PCGuide.com/ubb/cool.gif

P.S. According to Sophos there is a M$ security patch that would have prevented infection; see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp



[This message has been edited by Paul Komski (edited 11-30-2001).]

[This message has been edited by Paul Komski (edited 11-30-2001).]

Thanks for the links Paul.

I have been trying several sites now and am coming up clean, even did the 'removal' (although I had already done it manually) seems ok, partic' for anyone that doesn't like to go into registry.

The ie fix only refers to 5 & 5.5 & I'm using IE6 although I did open the attachment.

------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Sea: abuse@eircom.net

Full headers:X-Apparently-To: xxxxx@xxxxx.com via web10002; 28 Nov 2001 07:55:33 -0800 (PST)
X-RocketRCL: 39757;1;3658558726
X-Track: 112703: 2
X-YahooFilteredBulk: 159.134.237.21
Received: from mail1.tinet.ie (EHLO apu.eircom.net) (159.134.237.21)
by mta509.mail.xxxxxxxx.com with SMTP; 28 Nov 2001 07:55:32 -0800 (PST)
Received: from p37.as1.lifford1.eircom.net ([159.134.247.165] helo=aol.com)
by apu.eircom.net with smtp (Exim 2.05 #1)
id 16973H-0002lu-00
for XXXXXXX@XXX.Com; Wed, 28 Nov 2001 15:55:15 +0000
From: "Inishowen Computer Systems Ltd" <_icsltd@eircom.net>
To: xxxxxx@xxxxxxxx.com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <E16973H-0002lu-00@apu.eircom.net>
Date: Wed, 28 Nov 2001 15:55:15 +0000

HTML and file name:

<HTML> <HEAD> </HEAD> <BODY bgColor =3D#ffffff>
<iframe src =3Dcid:EA4DMGBP9p height =3D0 width=3D0>
</iframe> </BODY> </HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="images.DOC.pif"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

I Put some spaces in it and bold text for the filename. Didn't want even a remote chance it might attempt to run, even though the actual file is nowhere in sight and HTML does not work on the forums...am I getting paranoid????

I noticed also it did put an underscore in front of the originating email address. Interesting...I've already sent eircom a notice about this one, and suggested they investigate the possibility that this person is sending spam. That's the only reason he/she would have my email address, same as all the others who have sent this one to me. About 9 copies now...3 today...




------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

wouldn't have been from either of these two?

Piet van Ommeren" <_p.v.ommeren@wolmail.nl>
To :

sea1_69@hotmail.com
Subject :

Re:
Date :

Sat, 1 Dec 2001 21:10:10 +0100 (MET)
Attachment : Card.DOC.pif </cgi-bin/getmsg?

or


"crystal" <_raggs@worldpath.net>
To :

sea1_69@hotmail.com
Subject :

Re:
Date :

Fri, 30 Nov 2001 14:30:49 -0500 (EST)
Attachment : README.MP3.scr </cgi-bin/getmsg?

?

I notice the (_) too

Thanks Pete

http://www.PCGuide.com/ubb/wink.gif


------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

[This message has been edited by sea69 (edited 12-02-2001).]

Thought I read that the _ underscore was programmed in case this addy was ever placed in an address book..... The virus couldn't rotate back to them because the actual addy would be would be led by the _ .

------------------
......Indecision may or may not be my problem......
...... Kickin' A Rock....

Just followed instructions from McAfee, having previously,followed instructions from command, ie:

Deleted;

KERNEL32.EXE
Kdll.dll
& deleted ‘kernel32.exe’ from registry

I have since run several online A/V scans (incuding the ‘fix’) all of which have come up ‘no virus’s detected’

The McAfee refers to;

INETD.EXE
KERN32.EXE
HKSDLL.DLL
HKK32.EXE
CP_23421.NLS
Plus; inetd.exe (in WIN.INI)

None of which have I found, are we looking at a different virus, or a different activity of the same one ?

I have just received my 3rd…,
-------------------------------------

X-From_: arthur_marshall@talk21.com Sun Dec 02 13:40:30 2001
Envelope-to: vic@revi.fsnet.co.uk
Delivery-date: Sun, 02 Dec 2001 13:40:30 +0000
Received: from [128.242.207.107] (helo=linux1587.dn.net)
by mail7.svr.pol.co.uk with esmtp (Exim 3.13 #0)
id 16AWr7-0002fA-00
for vic@revi.fsnet.co.uk; Sun, 02 Dec 2001 13:40:29 +0000
Received: from [62.172.192.41] (helo=t21mta02-app.talk21.com)
by linux1587.dn.net with esmtp (Exim 3.22 #2)
id 16AWgI-0005f4-00
for webmaster@revi.co.uk; Sun, 02 Dec 2001 08:29:19 -0500
Received: from aol.com ([217.32.149.13]) by t21mta02-app.talk21.com
(InterMail vM.4.01.02.27 201-229-119-110) with SMTP
id <20011202133459.HKCR7033.t21mta02-app.talk21.com@aol.com>
for <webmaster@revi.co.uk>; Sun, 2 Dec 2001 13:34:59 +0000
From: "Arthur Marshall" <_arthur_marshall@talk21.com>
To: webmaster@revi.co.uk
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <20011202133459.HKCR7033.t21mta02-app.talk21.com@aol.com>
Date: Sun, 2 Dec 2001 13:35:13 +0000

Came with one of the listed names & the double extension, MP3.scr


------------------
for every question there's an answer. Then a load more questions.
Definition of Upgrade "A means of introducing new bugs to a program to replace the ones that you have eventually found fixes for"

Regards..,
Vic.

Two OE tips I just picked-up to inhibit infection.
1. Set up a "Preview" Button on the Toolbar. Have it set so that the Preview Panel is hidden. After eMails are received you can see if any have attachments and deal with them appropriately. Just toggle the button if you then want to open the Preview Panel.
2. Set OE Security to Restricted Sites Only. Set IE Security's Restricted Sites so that everything in it is disabled.

They just seemed so simple to do and could save a lot of bother. http://www.PCGuide.com/ubb/rolleyes.gif

PS I don't suppose there's anyway to make a message rule to delete all messages where From: = AnyEmail starting with an underscore

[This message has been edited by Paul Komski (edited 12-02-2001).]

Sea: Piet van Ommeren Got one from that address too. I already send them a notice that this person has the virus.

abuse@hccnet.nl is the contact address for the originating ISP. It's in the Netherlands. I strongly suspect it's a spammer as well, that's the only reason either of these should have had my email address.

You can look those up by IP address at the ARIN Whois (http://www.arin.net/whois/) database, it will link to RIPE and APNIC when they come up, and once you get the ISP you can often get contact addresses at the Network Abuse Clearinghouse (http://www.abuse.net/lookup.phtml). The place to look for the originating IP is in bold text in the headers below, that's the one it originally came from.

You can sometimes look it up by the domain preceding the IP, but that's almost always forged, (in this case it's not) so the IP address is the most dependable way to go. The mail server that receives the message does a reverse lookup, which the person who forges the headers cannot change. That's where the IP comes from.

X-Apparently-To: xxxxxxxxxxx@xxxxxxxx.com via web10007; 01 Dec 2001 11:47:58 -0800 (PST)
X-RocketRCL: 39756;1;4116342557
X-Track: 171038: 2
X-YahooFilteredBulk: 62.251.0.13
Received: from smtp.hccnet.nl (62.251.0.13)
by mta437.mail.xxxxxxxxx.com with SMTP; 01 Dec 2001 11:47:57 -0800 (PST)
Received: from aol.com by smtp.hccnet.nl
via fia80-2.dsl.hccnet.nl [62.251.2.80] with SMTP for <xxxxxxxxxxxxxx@xxxxxxxx.com>
id UAA00801 (8.8.8/1.13); Sat, 1 Dec 2001 20:47:50 +0100 (MET)
Date: Sat, 1 Dec 2001 20:47:50 +0100 (MET)


--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="Humor.MP3.scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>




------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

hmmmmmmmmmmmmmm...............


rights restricted by copyright. See
http://www.domain-registry.nl/bestaat.lp

Domain name:
hccnet.nl (second domain)

Organisation:
Hobby Computer Club
De Molen 24
3994 DB HOUTEN

Administrative Contact:
Reinier Kramer
Phone: +31 30 6378788
E-mail: postmaster@hccnet.nl

Technical Contact:
Reinier Kramer
Phone: +31 30 6378788
E-mail: postmaster@hccnet.nl

Technical Contact:
P. Theunissen
Phone: +31 24 3653653
E-mail: tech-adm@internl.net

Registrar:
InterNLnet/p
Toernooiveld 1
6525 ED NIJMEGEN

Domain Nameservers:
auth10.dns.internl.net 217.149.192.4
auth20.dns.internl.net 217.149.201.5

Domain first registered: 19-11-1998
Record last updated: 08-11-2001
Record maintained by: NL Domain Registry

>>>>>>>>>>>>

his is the RIPE Whois server.
The objects are in RPSL format.
Please visit http://www.ripe.net/rpsl for more information.
Rights restricted by copyright.
See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 62.251.0.0 - 62.251.0.255
netname: NL-HCCNET
descr: Internet Service Provider
country: NL
admin-c: HK657-RIPE
tech-c: PT1019-RIPE
status: ASSIGNED PA
mnt-by: HCCNET-MNT
changed: Paul.Theunissen@inter.NL.net 20010103
changed: Paul.Theunissen@inter.NL.net 20010423
source: RIPE

route: 62.251.0.0/17
descr: HCCnet
origin: AS20689
mnt-by: HCCNET-MNT
changed: changedesk-ias@kpn.net 20010208
changed: Paul.Theunissen@inter.NL.net 20010620
source: RIPE

person: Hidde Korenstra
address: HCCnet BV
address: Eekholt 44
address: NL-1112 XH Diemen
address: The Netherlands
phone: +31 20 569 3700
fax-no: +31 20 569 3799
e-mail: hidde.korenstra@hccnet.nl
nic-hdl: HK657-RIPE
remarks: ------------------------------------
remarks: For abuse notification send email to
remarks: abuse@hccnet.nl
remarks: ------------------------------------
notify: hidde.korenstra@hccnet.nl
changed: Walter.vanDijk@SURFnet.nl 20011009
source: RIPE

person: Paul Theunissen
address: InterNLnet B.V.
address: Toernooiveld 1
address: NL-6525 ED Nijmegen
address: The Netherlands
phone: +31 24 3653653
fax-no: +31 24 3653655
e-mail: Paul.Theunissen@inter.NL.net
nic-hdl: PT1019-RIPE
remarks: ------------------------------------
remarks: For abuse notification send email to
remarks: abuse@inter.NL.net
remarks: ------------------------------------
notify: Paul.Theunissen@inter.NL.net
mnt-by: INTERNLNET-MNT
changed: michelg@inet.unisource.nl 19981210
changed: Paul.Theunissen@inter.NL.net 19991022
changed: Paul.Theunissen@inter.NL.net 20010316

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)


[This message has been edited by sea69 (edited 12-03-2001).]

Gotta love the coding I still have it on atleast one machine playing with it. Maybe the script kiddies are actually learning to program instead of downloading off of hacker web sites......... NAW I am delirious as it is 6AM here and I am still at working living off of JOLT and Nicotine. Sorry for the ramblings it will cease and desist now.

Originally posted by Paleo Pete:
Watch out for this one, it hit me already. I have 3 copies sitting in my Inbox right now, and undoubtedly more to come...

W32/Badtrans@MM (http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607) is the McAffee write up, the Symantec write up is Here (http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html)

I goofed, I didn't look close enough at the Message Source when looking up spammers, and opened this one. I haven't tried to reboot yet, but will shortly and will probably be removing yet another trojan. GRRRRRR....

This trojan was discovered 11/24 so make sure and UPDATE YOUR DAT FILES before checking your e-mail. McAffee has already written this one into the newest DAT files, Norton probably has too.

Watch out for this one, it opens and runs automatically if you open the e-mail message it is attached to. Open Windows Explorer and go to View\Folder Options, click the View tab and make sure the Hide extensions for known file types box is UNCHECKED and also Show all files should be CHECKED.

In Outlook Express right click on each e-mail message that contains an attachment and click Properties. In the Properties box click the Details tab then Message Source at bottom. Maximize this window and read it closely, if the e-mail has an attachment you will find a section that is similar to:
This is copied directly from one of the e-mails I received. Note the dual extension (bold text.) That is always an indication of a virus or trojan. If you see something similar to the above, DO NOT open the email message.

If you're using Netscape or Eudora I can't help with procedures, I use neither. The McAffee page has removal instructions, I'm sure the Symantec page does too, I didn't look, they're usually very good at posting detailed information.

I hope none of our visitors have problems with this one, knowing full well that is a futile hope...some of them will be infected anyway, as past experience has shown me.

Please be wary of this one, I may be reinstalling later today because of it. I planned to do that anyway, but wasn't expecting to do it right away... http://www.PCGuide.com/ubb/eek.gif





------------------
Assembler,

Bow before me for I am r00t