[LINK] New virus: BadTrans.B 40k "Re: " with no visible message

Robin Whittle rw@firstpr.com.au
Tue, 27 Nov 2001 12:53:14 +1100 

On Monday evening I received two of these and now, halfway through
Tuesday, I have received another five, all from separate addresses, none
of which are known to me.

The subject is "Re: " and there is no visible message.  Looking at the
source (I use Netscape 4.77 as my email client) I find an attachment
with names such as:

  Content-Type: audio/x-wav;
         name="fun.MP3.pif"

  Content-Type: audio/x-wav;
         name="info.DOC.scr"

  Content-Type: audio/x-wav;
         name="Humor.MP3.scr"

  Content-Type: audio/x-wav;
         name="README.MP3.scr"

  Content-Type: audio/x-wav;
         name="New_Napster_Site.MP3.pif"

I am not sure which virus this is - but I don't recall such emails in
the past, so I think it is new.  I checked at:

   http://wtc.trendmicro.com/wtc/

to see what the latest computer (actually, I think they are all, or
almost all, viruses which exploit weaknesses in Microsoft software)
virus/worm trends were, and one called PE_NIMDA.A-O is top of the pops
today:

  
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A-O

But a more likely candidate is BadTrans.B:

   http://www.datafellows.com/v-descs/badtrs_b.shtml

Yes - this is it.  The above page has a list of fake addresses, and one
of my addresses is from that list.

In addition to replicating by sending itself out as emails, it installs
a "keyboard hooker" with a password stealing trojan.

    The worm's attachment might execute automatically when the emails
    are viewed. To do this Badtrans.B uses a known vulnerability in IE 
    that allows automatic execution of an email attachment. This 
    vulnerability is fixed and a patch for it is available on Microsoft
    site: 

                                 
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp  


In biology, I understand that, viruses (it seems so academic to say
"viri"!) have lead to decimation of populations and the development of
new species as non-susceptible individuals with different genetic
inheritance flourish while the main population suffers or is nearly
annihilated.   So it is with software, I think, except that most people
will install and use damn Internet Explorer and Outlook Express again,
thinking there is safety in numbers and in the software coming from the
world's most successful software company.  As long as they do this, then
there isn't much pressure on Microsoft to program things in a more
secure way.

I understand that default installations of Windows cause Windows
Explorer and Outlook Express to hide the extension of well-known file
types, such as those of executable file types ".exe.", ".pif" and
".scr".  So even if the mail program doesn't automatically execute the
attachment, they may see an attachment as a link called "Humor.MP3" and
click it, thinking they are going to safely listen to an MP3 file.   As
long as the Microsoft programs hide such extensions, then there will be
more worms like this one.

I received another one in the 20 minutes it took to write and research
this email.


 - Robin