[LINK] New virus: BadTrans.B 40k "Re: " with no visible messa ge

Fitzsimmons, Caitlin fitzsimmonsc@theaustralian.com.au
Tue, 27 Nov 2001 14:28:28 +1100 

It certainly sounds like Badtrans.b. More info is below.

Badtrans.b hits home
Caitlin Fitzsimmons
NOVEMBER 27, 2001  
HOME computer users have been hardest hit by an outbreak of a new virus that
was discovered in Europe at the weekend.
http://australianit.news.com.au/articles/0,7204,3327116%5E15306%5E%5Enbv%5E,
00.html

-----Original Message-----
From: Robin Whittle [mailto:rw@firstpr.com.au]
Sent: Tuesday, 27 November 2001 12:53
To: Link mailing list
Subject: [LINK] New virus: BadTrans.B 40k "Re: " with no visible message


On Monday evening I received two of these and now, halfway through
Tuesday, I have received another five, all from separate addresses, none
of which are known to me.

The subject is "Re: " and there is no visible message.  Looking at the
source (I use Netscape 4.77 as my email client) I find an attachment
with names such as:

  Content-Type: audio/x-wav;
         name="fun.MP3.pif"

  Content-Type: audio/x-wav;
         name="info.DOC.scr"

  Content-Type: audio/x-wav;
         name="Humor.MP3.scr"

  Content-Type: audio/x-wav;
         name="README.MP3.scr"

  Content-Type: audio/x-wav;
         name="New_Napster_Site.MP3.pif"

I am not sure which virus this is - but I don't recall such emails in
the past, so I think it is new.  I checked at:

   http://wtc.trendmicro.com/wtc/

to see what the latest computer (actually, I think they are all, or
almost all, viruses which exploit weaknesses in Microsoft software)
virus/worm trends were, and one called PE_NIMDA.A-O is top of the pops
today:

  
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A-O

But a more likely candidate is BadTrans.B:

   http://www.datafellows.com/v-descs/badtrs_b.shtml

Yes - this is it.  The above page has a list of fake addresses, and one
of my addresses is from that list.

In addition to replicating by sending itself out as emails, it installs
a "keyboard hooker" with a password stealing trojan.

    The worm's attachment might execute automatically when the emails
    are viewed. To do this Badtrans.B uses a known vulnerability in IE 
    that allows automatic execution of an email attachment. This 
    vulnerability is fixed and a patch for it is available on Microsoft
    site: 

                                 
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp  


In biology, I understand that, viruses (it seems so academic to say
"viri"!) have lead to decimation of populations and the development of
new species as non-susceptible individuals with different genetic
inheritance flourish while the main population suffers or is nearly
annihilated.   So it is with software, I think, except that most people
will install and use damn Internet Explorer and Outlook Express again,
thinking there is safety in numbers and in the software coming from the
world's most successful software company.  As long as they do this, then
there isn't much pressure on Microsoft to program things in a more
secure way.

I understand that default installations of Windows cause Windows
Explorer and Outlook Express to hide the extension of well-known file
types, such as those of executable file types ".exe.", ".pif" and
".scr".  So even if the mail program doesn't automatically execute the
attachment, they may see an attachment as a link called "Humor.MP3" and
click it, thinking they are going to safely listen to an MP3 file.   As
long as the Microsoft programs hide such extensions, then there will be
more worms like this one.

I received another one in the 20 minutes it took to write and research
this email.


 - Robin


This message and its attachments may contain legally privileged or
confidential information. It is intended solely for the named addressee. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to the addressee), you may not copy or deliver this
message or its attachments to anyone. Rather, you should permanently delete
this message and its attachments and kindly notify the sender by reply
e-mail. Any content of this message and its attachments which does not
relate to the official business of News Limited or its subsidiaries must be
taken not to have been sent or endorsed by any of them. No warranty is made
that the e-mail or attachment(s) are free from computer virus or other
defect.