IT Employment·20,070 discussions

Have you been hit the “BadTrans” worm?

Locked

The BadTrans worm is spreading across the Internet. It is a particularly nasty little virus that leaves a Remote Access Trojan and some other little “gifts.” Has your company been hit yet or have your virus scanners detected this worm? How have you recovered and/or what are you doing to stop future infections?

Topic

Not Yet

In reply to Have you been hit the “BadTrans” worm?

We have not yet been hit with this virus. We have tightened our e-mail server to block attachments with those extensions, plus several more. But we will keep a close watch on our network.

Use Linux

In reply to Not Yet

I recievd now several mail from adresses in
Holland but….. my Linux machine still working
for 100%

Blocking of attachments

In reply to Not Yet

What are you using as your email server? And if you’re running Exchange 4, how do you set it to block those extensions? I would appreciate the help !!

Exch 4? Upgrade to 5.5

In reply to Blocking of attachments

That would be my first reccomendation.

Next, to block extension you would need some sort of AV product for the gateway.

Eithe Mcafee Groupshield 4.5 sp2 or higher or TrendMicro’s AV scanner for exchange will do.

Both allow extension blocking/qurranting. (the latter of the two is what I reccomend so not to piss off my users)

I HAD HIT BY BADTRANS*** VIRUS

In reply to Not Yet

DEAR SIR
I ALREADY HIT BY NEW VIRUS BECAUSE OF THIS VIRUS MY KERNEL32.DLL IS CORRUPTED ONE MORE
.DLL FILE HAS BEEN INFECTED PLEASE HELP ME TO
SOLVE THIS PROBLEM ASAP

THANKS FOR YOUR HELP

it is easy

In reply to I HAD HIT BY BADTRANS*** VIRUS

I use my personal PC for company mail. This way every possible damage by any virus is prevented on company PC’s. On my PC I have nothing important. Company PC’s are not connected on net.
I was hit by this virus on November 30. My AVP have not foundanything during receiving mail, but when I try to open mail, I have received warning massage. Desinfection was useless. I disconected connection, deleted kernel32exe and boot from floppy disk. Everything was fine. Rebooting again normaly was sucessfool. What is for kernel32exe? I dont know, but my WIN98SE stil works perfectly. With another try to read same mail I found created kernel32exe which I totaly deleted. I couldnt delete this mail directly, so I used AVP scanner in which I made choice of checking all files through, and mail too, and to desinfect files but if unposible to desinfect than to delete files.
Scanner runs long time this way to check 30 GB hard disk and found virus only in this mail and kernel32exe which was automaticaly deleted. I did shut down PC (also from power outlet because ATX power supply), wait few minutes, and than turn on PC and run AVP scanner again. This time no viruses found. I was lucky, because I have no other damage. Today I found this article and I will try to found another mentioned files which create same virus and to try to delete them if they exist on my PC. I sugest to others to try the same as I done.
If anyone knows whot is use of kernel32exe please inform me. My PC works well without it.
Best regards,
cane.csk@EUnet.yu

Got hit at home

In reply to it is easy

I got this virus at home via an email attachment called “fun.mp3”. This was about a week ago but I discovered it yesterday when I heard about another virus on the news and forced a download of the latest Norton virus definitions. Following that Norton reported that I had the W32/BadTrans.B virus and that it was UNABLE to repair it and I couldn’t delete the KERNEL32.EXE or KDLL.DLL files. It kept popping an alert boxes on my screen to warn me. Pretty annoying.

As I recall this email came from a place in South Africa that I’d swapped emails about getting a T-shirt. It took a long time for his reply. When I got his email, I’d saved the file to DOS and looked at it with an old DOS-based LIST.COM program and saw nothing that looked like info about the T-Shirts so I didn’t think it would have caused a problem. I must’ve double-clicked the file by accident. Later I got another email from him saying that he’d had problems and thought he might have had a virus(!).

Back to my problem: I used another computer to go on line and read about this virus and found that it installs the kernel32.exe in the RUNONCE key so was able to use REGEDIT to delete the key then reboot in SAFE mode (Win2K). From there Norton was able to find and quarantine the two files where I could delete them. I rebooted the machine and started a Norton scan of the machine. That’s when it found the “fun.mp3” file. Norton successfully quarantined these files so I could delete them.

D.Johnson

Virus BadTrans.B virus

In reply to Got hit at home

I got hit by the /BadTrans.B virus three days ago.
I use nortons and I noticed messages syaing it was a virus and it could not be quarantined. I got over a hundred of these messages. I run a mail server on NT4 for my organisation.
What do I do? I’m lost.
Thanks

Rename the Files?

In reply to Virus BadTrans.B virus

P-cillin 2000 opts four choices upon finding these files: 1)clean (but they were uncleanable) 2) rename, 3) delete 4) leave them alone (seriously not recommended) So because rename was 2nd-best, I chose that. which LEADS ME TO BELIEVE THAT DELETION MIGHT BE DANGEROUS. I’m still waitng for an answer from TechSupport.
The names of these files, to the extent that I could see (before Trend P-cillin at http://www.antivirus.com renamed them or put them in quaratine)are:
C:\WINDOWS\OPTIONS\CABS\O…(9 OF THESE)
C:\WINDOWS\OPTIONS\CABS\T…
C:\WINDOWS\OPTIONS\CABS\S…
C:\WINDOWS\SYSTEM\REGWIZ…
C:\WINDOWS\SYSTEM\RNAAPP…
C:\WINDOWS\SYSTEM\RUNONC…
C:\WINDOWS\SYSTEM\TAPINE.E…
C:\WINDOWS\SYSTEM\TAPISRV…
C:\WINDOWS\stone.exe
Nowthey said they can’t find the last one, though. (stone.exe)…duh, maybe ’cause they re-named it? or maybe it’s particularly nasty…
I assume renaming them is good because the villians cannot access them any longer, to do damage. If this information helps you at all, please pass it on.
Victoria Ann Harris

TG, didnt see anything yet…

In reply to Have you been hit the “BadTrans” worm?

Greetings,
You might take a look at DiamondCS Wormguard’s website: http://wormguard.diamondcs.com.au

If I only had a penny….

In reply to Have you been hit the “BadTrans” worm?

My network has received probably about 200+ of these since last night.

Luckily, my exchange server blocks most file extensions, including pif and scr. So we are basically immune to all e-mail borne attacks.

Actually in the last 2 years since the exchange deployment, my network has not been down due to a virus.

This is not because I sit there and disinfect client computers at the very second they get the virus.

It’s because 100% of all of the inbound virus come thru e-mail. And my mail server catches all of them.

I know that you are saying, well that’s amazing. What anti-virus software are you using.

Well let me tell you. I don’t rely soley on the anti-virus software.

You need to be pro-active. First get anti-v software that allows *You* to block file extensions, extremely important.

Just by blocking exe’s, vbs, scr and pif’s, you can basically eliminate 70% of all current virus’es. Then go thru your system files, and block every file extension that is in there (dll, chm, com, bat, sys…You get the picture)

A little prevenetion goes a long way. Next, the software should be able to send you pages. It may be annoying, but knowing a virus is being circulated is half the battle.

I knew that therewas a new variant out as soon as my cell received the first page last night.

Next, inform your users. Send out bulletins. This may seem like fluff if you have done the above. But it keeps your users on their toes, and makes them paranoid. Which sadly enough is want you want. You never want them to open anything. At least if they are paranoid they might just contact you first at the sign of a suspicious e-mail.

Just in case you did’nt get the jist…
Prevention my friends will save your networks.

W32 badtrans

In reply to If I only had a penny….

My firewall was the first clue since the update was not yet in my virus definitions. As soon as it started asking me if kernal32.exe could access the internet I started to get concerned. Outlook was useless so after updating and cleaning the machineI opened up e-mail with another program and deleted at least 30 of the buggers. Take care, David

Seen it..

In reply to Have you been hit the “BadTrans” worm?

I have found entries in my event logs written by the A/V scanner. So far, it seems the scanner is detecting and removing the trojans (CA InnoculateIT).

Hit 3 times in 2 days

In reply to Have you been hit the “BadTrans” worm?

My company (in England) has, since Monday morning, received three emails infected by Badtrans. Luckily our virus scanner picked them up. However, one slipped through the net yesterday, but I located and deleted the kdll.dll and kernel32.exe files and checked the runonce section of the registry. It has not resurfaced. I emailed all the users and informed them of the threat and what form it takes (eg no body text in message). We are still receiving emails infected with the virus. Many forums are also displaying warning messages about this piece of digital nastiness.

Mark

Many detected

In reply to Hit 3 times in 2 days

Our mailserver Virus scanner has detected approx. 80 infected messages since Saturday.
Luckily, all have been dealt with by the AV mail scanner. This seems to be fairly prevalent,Its giving Magistrate a run for its money.

Many detected

In reply to Hit 3 times in 2 days

Our mailserver Virus scanner has detected approx. 80 infected messages since Saturday.
Luckily, all have been dealt with by the AV mail scanner. This seems to be fairly prevalent,Its giving Magistrate a run for its money.

Seen it, but no infections

In reply to Have you been hit the “BadTrans” worm?

Our Antivirus email gateway has stopped a couple dozen of these. No infected workstations. Received one at home, but ZoneAlarm changes the file extention on all executable attachments so they are not automatically/accidentally run.

Also seen it …

In reply to Seen it, but no infections

Actually had my workstation anti-virus catch it from a post that came in from another board I subscribe to. It caught it and put in quarantine….just like it is suppose to do and within minutes the network admin was at my desk. Gotta love it when aplan works!

Nope!

In reply to Have you been hit the “BadTrans” worm?

No news is good news!

antivirus caught it

In reply to Have you been hit the “BadTrans” worm?

I got an update about a few days back, let my administrator know and they made sure our antivirus was up to date – now we’re looking at the virus log and thanking our lucky stars…

Am I the only admin getting these?

In reply to antivirus caught it

I am averging around 20 an hour now.

They are all stopped at the mail gateway, but we are still getting them.

Which tells me that, just like sir-cam, people can’t follow directions.

Some insight though, make sure your users are patched. personal Vscanners such as Norton probably will not catch it via e-mail.
(I say this because I just came back from disinfecting one of our stock holders systems and it had norton installed)

There are a few steps to remove:
1. remove key hklm\software\Microft\windows\currentversion\runonce\kernel32

2. Unhide all files and file extensions

2. Find any of these files and not their location; kernel32.exe, kdll.dll, inetd.exe,
(the first 2 are the main ones), search for *.nls and fine the one with the most recent date.

3. Restart into ms-dos mode or reboot into command line (2k) (windows locks these files because the process is running)

4. Delete the files using the command line.

5. Reboot and do a recheck of the registry and search again for the files.

Do not forget to perm delete the infected e-mails.

RE: Thanks for the attachment

In reply to Am I the only admin getting these?

Thanks for these easy to follow instructions! Yes, I have dealt with one infected machine (the CEO’s!) on the network.

The CEO opened an infected email then went “oops”. I did a command-line scan, but it didn’t find anything. After the reboot thevirus was activated, and the CEO noticed something was wrong. He turned his PC off, and I ran a further command-line scan, which picked up and deleted the virus files. I then booted into safe mode and deleted the registry key in Run Once.

I think I forgot one thing…..

In reply to RE: Thanks for the attachment

Check the win.ini file for a RUN= statement.

In one of the docs if found a reference to it making a run= entry in win.ini to point to c:\windows\inetd.exe (which I was unable to find)

The doc also went on to say that you would need to scroll all the way over to the right to find the entry.

I only found a RUN= without any parameters and removed it just to be on the safe side.

I always say, If it does’nt need to be there, don’t leave it there.

Glad to of be of help.

Win2k Note

In reply to I think I forgot one thing…..

Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE

Norton AntiVirus Does Catch the Worm

In reply to Am I the only admin getting these?

My Norton AntiVirus Program 2002 did identify and eliminate the BadTrans.B worm received via an email attachment. Did you ask your stockholder if he/she had the most recent virus definitions? NAV and other anti-virus programs will most likely workonly if the anti-virus software is correctly configured and the computer user keeps the virus definitions up to date.

Definitions

In reply to Norton AntiVirus Does Catch the Worm

Virus defintions were from 10/31/01.

This is actually an old virus type. Should be detected just based on heuristics.

But a point that I will never waiver on is this; Never allow AV products to do the work for you.

As an admin I can not take the chance of a product detecting viruses for me. Which is why I choose the extension blocking method.

This stockholders e-mail goes thru a public mail system instead of thru their corporate mail system. Which will now change.

I treat AV products as a best effort backup.

Ours caught it too

In reply to Norton AntiVirus Does Catch the Worm

We are anal about keeping our pattern updated!

Antivirus Software & W32.Badtrans.B@mm

In reply to Norton AntiVirus Does Catch the Worm

Yes NAV will catch and delete the BadTrans.B worm provded your virus definition is dated after 24 Nov 01. All you have to make sure is that auto-protecthas been set to scan all files and to do a scan when you open, run, create, or download a file. Mcafee’s has probblems if it is 4.03 even when updated with the 4172 Dat file. The virus infects a system using the following code embedded in the e-mail:
–====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name=”SEARCHURL.MP3.pif”
Content-Transfer-Encoding: base64
Content-ID:
Active-X controls try to load what it thinks is a wave file, but it is the virus code that gets loaded instead. All you have to do is do a preview of the infected e-mail and it gets you.

Got my 1st NimbaA experience

In reply to Have you been hit the “BadTrans” worm?

I got a referral call at a Doctors office last Saturday that sounded like a virus. An envolope file w/.EML extention had been placed in all folders on the server. When you tried to erase the envolope it would add several more or start your media player. The system had one of the more popular virus programs installed but the dat file had not been updated since they cut the IT techs job last June. I calmly ran a burned disk of 11 new virus killers one at a time till i could Identify the NimbaA virus and let program do it’s work. it cleaned/killed 7792 files without ant real damage to the system. I did have to re-establish mapping and shares but no damage was done to the system or data files. GOOD job Symantics and Mcafee. Security is becoming expensive. You can pay me now or pay me a lot more later!

Randy Butler
Network Admin KVHS

It got me

In reply to Have you been hit the “BadTrans” worm?

The best way to get rid of this worm is to unplug your internet connection, go to REGEDIT, delete the RUN ONCE_kernel32.exe key, boot to a command prompt, get to the system32 dir, and delete (or erase) kdll.dll and kernel32.exe then REBOOT…and WALA!!! It’s gone!!! Be careful with REGEDIT don’t delete the wrong key!!!

There are 2 other parts you missed…

In reply to It got me

Do not forget the win.ini file

and do a search for *.nls. Look for the latest date modified nls file.

This is the file that the key logger stores the info in. It is encrypted so it will look like garbage if you open it. This is the file that is e-mailed to the hotmail address.

GRRRRRRRR….

In reply to There are 2 other parts you missed…

I dont know here if Im talking about the same virus… Got an email today: no subject, no visible attachment, 1K big.
Didnt opened it, tried to delete it seceral times. No way to get rid of it.
I disconnected from the net (net is the mail server), ran HouseCall, nothing found, ran Norton, nothing found, empty the temporary Internet files, rebooted. Ran HouseCall again. Nothing found. No strange events for hours now…

Sounds like it….

In reply to GRRRRRRRR….

Check the registry for that key. If it’s there then you know you were infected.

FYI- Norton sucks big time…. I never trust AV products, especially norton.

It couldn’t find that virus on the system I disenfected either. Don’t trust it.

Nope (relief)

In reply to Sounds like it….

Checked it out: all clean.
I admit Norton creates “doubts” here though.

I’m Confused.?..

In reply to GRRRRRRRR….

ReReading your post now sounds like you can not delete the e-mail?

If you did not open the e-mail then you would not have been infected.

The easiest way to tell is to check the reg key. Since you did that and there was no entry then you probably did not get it.

Im not sure if you are using a client to get your e-mail or if it is web based. I don’t believe that it would be possible for this virus to exploit web based e-mail. Because web based e-mail is not a standard MAPI client.

It is also relevant that this virus actually runs upon reboot. It does not actually activate the very second that you click on the e-mail/attachment.

But the standard rules apply, verify it for yourself. Never let a virus scanner do the work foryou, because it can be wrong.

Especially if you are looking for a specific virus. Remember, even if the scanner finds the virus, it will only *attempt* to remove that file. It will not clean up other crap that the virus altered (ini files, reg keys, bat files, etc)

Strange stuff, I admit…

In reply to I’m Confused.?..

The email is Web Based.
Now, first I tried to delete the email (no subject, sender unknown, absolutely no information: blank. Size 1k. I couldnt delete the mail. So far the mail didnt reached me yet. I disconnected from the net, ran the scanners. Result: nada.
After reading the replies above, I followed the instructions given, result nada. I went back to the mail server: the suspicious mail, was gone…
Bottom line: this is what makes this forum worth to visit: information and warnings withgreat value, not only for the IT pro, but also for the less skilled End User.
I learn something (almost)evry day here!

Good thing about web mail is….

In reply to Strange stuff, I admit…

It is impossible (I should’nt say impossible, hard more like it) to infect a host with a virus.

Reason being, is unlike conventional e-mail clients that run on the client side, web based e-mail is run on the server side as a web service.

If you have not figured it out already just by using the net. Normal non-maliscious web sites owners do not allow programs to arbitraily execute in the web directories for the web servers.

It’s like making a folder on your HDD and telling it that whatever you put in there can be read only, no execute or write.

Web mail is the same way. You are just reading only. Now If you download the attachments and click on it, then you will be infected. But unless you have a MAPI based e-mail client, the virus will not be able to spread. Because it will be unable to propagate thru a non-mapi client such as a web based system.

Got it

In reply to Have you been hit the “BadTrans” worm?

received it in outlook this morning. blocked the attachment tho. kinda sad cuz i wanted to open the .bat file and see what it did 🙂

Yes Have Been Hit!!! Today

In reply to Have you been hit the “BadTrans” worm?

I got e-mails from another computer I know
sent to my e-mail addresses containing Bad-Trans!!! Luckily Yahoo Picked it up when I checked with Norton Antivirus.

Norton Comes Through Again!

In reply to Have you been hit the “BadTrans” worm?

As far as I know, good old Norton caught it. I just updated my virus software a day before–whew! The only beef is taht I didn’t hear about it in the news until 2 days later!

Reply To: Have you been hit the “BadTrans” worm?

In reply to Have you been hit the “BadTrans” worm?

Norton caught one event on my machine.

Hit three times today

In reply to Have you been hit the “BadTrans” worm?

Norton Anti Virus caught and eliminated the virus as it entered my Exchange server.

Symantec attitude

In reply to Have you been hit the “BadTrans” worm?

It is not enough for symantec to simply encourage us to “block any e-mail with attachments ending in .pif or .scr. They should develop a more responsible approach by including this virus on their definitions. This will allow us (their customers) to update our virus definitions.
That is a more responsible.
Though I have not been hit, I feel for those who have.
Downloading tiny software’s personal firewall may help in future. I use tiny personal firewall, downloaded from CNET. It helps me monitor incoming and outgoing traffic.

They do have a point….

In reply to Symantec attitude

Blocking/Quaranntining file extensions is actually the best practice.

By blanket blanking file extensions at the mail gateway, you are effectivley blocking 99% of known virus’s that come thru.

There is very little legitimate use for corporate users (and home users) to be receiving scr’s, pifs, vbs, dll, com and bat files thru e-mail. (just to name a few)

I actually block roughly 50 known file extentions at the gateway. This basically makes my network immune to e-mail borne virus attacks.

The files are quarrantined for up to 10 days.
This gives my users enough time to ask me for the file, assuming it is a legitimate file. If I have any questions/concerns about the file, I can test it in a offline enviroment.

You will findthat your users will not mind the extra step in getting their file. They will hate you more if they can not work because the network is down due to a virus.

You can never rely on anti-virus software to catch virus’. Remeber, someone has to get hit with the virus first before they can create the definition for it.

Thefore it is better to block the file extension.

For further reference….

In reply to They do have a point….

Can we have the complete list of file extensions?
Would be a great help!!!
Thx in advance.

LordInfidels BigOl’ extension block list

In reply to For further reference….

Here it goes, enjoys……

??_,000,386,a,acm,asp,ax,bak,bat,bin,cab,cat,cfg,chm,com,cpi,cpl,dat,dev,dll,dnu,dot,drv,enu,esn,exe,fnt,fra,h,hlp,hta,htt,hxx,ice,inf,ini,iss,ita,jfx,js,jse,lnk,log,mod,msc,msi,nls,nt,ocx,olb,ole,pci,pdf,pif,pot,prx,qtp,qts,qtx,reg,rnd,scr,sep,sex,shs,sql,str,sve,sys,trn,twd,twm,uce,vbe,vbp,vbs,vxd,wsh,xxx

Looks like I broke the page….

In reply to LordInfidels BigOl’ extension block list

If you can’t read it, i posted it for download.

http://www.directionweb.com/nettools/extensions.txt

Thanks!!!!

In reply to Looks like I broke the page….

Another part of the puzzle which makes computing safer.

HOW do you block extensions in OE?

In reply to LordInfidels BigOl’ extension block list

I keep hearing about blocking extensions, but I do not know HOW to do this in Outlook Express? I have NAV, and once it ‘caught’ the Badtrans worm trying to infect me, and once it did not – but, I never did get infected and I have checked and rechecked my PC several times with different virus programs, so I know I am clean. Thanks.

Generally this is done at the mail gatew

In reply to HOW do you block extensions in OE?

I do know that OE6 does allow you to stop the running of attachments. They are not really blocked, but you can’t run them from within OE6.

I know that Mcafee 4.5 for clients can scan all e-mail attachments if you set it up right.

Not sure about norton or trend micro.

When installing 4.5 you would need to choose custom and install all modules. Once you install all modules and update the definition, you then need to configure vscan to scan all attacments. And then enable heuristics.

Question re how this virus spread

In reply to Have you been hit the “BadTrans” worm?

The article about the virus said “This worm spreads by replying to messages contained in an infected system?s Outlook mailbox.” Does this mean that if you reply to the person who sent it, but do NOT open the attachments they sent, you have infectedyourself? I always thought you had to open the attachments to become infected. Can someone clarify this for me? thanks..

Your answer

In reply to Question re how this virus spread

The problem here is 2 fold.

Once you reply to the message, it creates the message again, and opens it. The virus will then run.

But the bad part is even if you reply back to them, it will not get to them. The virus prepends their email address with an underscore.

So if your e-mail address is normaly me@screwed.com, if you are infected and it sends e-mail out to everyone. The person on the receiving end will see your address as _me@screwed.com.

I personally do not open these e-mails to reply back. I look at the headers of the e-mail to grab their e-mail address adn remove the underscore.

This would be a good place to note to turn off your preview panes in your main inboxes.

That way things will not launch arbitrarily (msp?).

Question

In reply to Your answer

Is it true that a virus can can be activated just by opening the e-mail message it was attached to?

And what about reading an attachment through the message properties / Details tab / Message Source button ? Does that launch it?

Thanks

Answer

In reply to Question

Yes, it can. Disable the “PREVIEW PANE” in outlook/oulook express. This way, I saw a suspicious mail, w/o opening it. It might have saved me.

Virus infection

In reply to Your answer

Sorry bud but I do believe you are wrong on that matter. It happens this way:
The virus infects a system using the following
code embedded in the e-mail:
–====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name=”SEARCHURL.MP3.pif” Content-Transfer-Encoding: base64
Content-ID:
Active-X controls try to load what it thinks is a wave file, but it is the virus
code that gets loaded instead. All you have to do is do a preview of the
infected e-mail and it gets you.

What about Netscape users (and others)?

In reply to Question re how this virus spread

Some of the “alerts/reports” mention Outlook or OE but nothing seems to be said about effect of this (and other viruses/worms) on Nestcape users or what precautions they might want to consider.

Enlightenment will be appreciated.

CECS

Yup. Nasty cleanup too.

In reply to Have you been hit the “BadTrans” worm?

Yeah, I got nailed by the B variant of BadTrans. Stupid- shot myself in the foot. NAV sucks up resouces, making processing of audio in CoolEditPro slower, so I don’t run NAV at bootup. I start it up before I go on-line, and run manual scans overy sooften. But I was in a hurry last night and failed to load it, further, it slipped my mind for a second that *.scr is EXECUTABLE. Dumbsky.

I ran NAV immediatly- it dinged on KDLL.DLL, which is the keylogger component of the B variant. It offers to repair, then says it can’t, then offers to delete the file, then says it can’t (“in use by Windows”). Rebooted to DOS, erased KDLL.DLL, naturally, the virus recreates it on starting the GUI. Went thru a few more iterations. Deleted KERNEL32.EXE andran NAV again. All better now.

I use Eudora Pro and have never been infected (except this time, when I pretty much did it to myself) and don’t think I have ever passed on a virus to someone else.

I’m still happy everyday that I don’t use a Micro$oft mail client.

-T

Hit today by the worm

In reply to Have you been hit the “BadTrans” worm?

I was sent an email today by a client but thank goodness for NAVCE it caught it.
I didn’t want to go through that nimda thing again!

BadTrans

In reply to Have you been hit the “BadTrans” worm?

I have been hit with BadTrans despite having a McAfee antiviruse programme installed. I am not sure if I have eliminated the virus as I use Windows ME and I cannot look at all the files in my C:\_Restore folder as most are hidden and I am denied access to unhide the files.

Take the highspeed…

In reply to BadTrans

phone, inform the SysAdmin on the spot.

Good advice but

In reply to Take the highspeed…

Suppose that one is dealing with a home PC hand has no system administrator. Then what?

Removal instructions

In reply to Good advice but

There are a few steps to remove:
1. remove key hklm\software\Microft\windows\currentversion\runonce\kernel32

2. Unhide all files and file extensions

2. Find any of these files and not their location; kernel32.exe, kdll.dll, inetd.exe,
(the first 2 are the main ones), search for *.nls and fine the one with the most recent date.

3. Restart into ms-dos mode or reboot into command line (2k) (windows locks these files because the process is running)

4. Delete the files using the command line.

5. Reboot and do a recheck of the registry and search again for the files.

Do not forget to perm delete the infected e-mails.

Watch out for “system restore” in WinMe

In reply to Have you been hit the “BadTrans” worm?

Hello!
Just want to say that if you are using WinMe removing the infecting file will cause it to appeare in te _restore folder.
And if you remove if BadTrans from you “Inbox” you willalso have to remove it from the “Trashcan”.
/Peter Sarge

Change your options for Trashcan

In reply to Watch out for “system restore” in WinMe

In order to get clear of the BadTrans virus, when you delete the files renamed by your antivirus, do not send them to your trashcan or else your antivirus will renamed them again and the wheel will keep turning ! Go to option for trashcan and do notcheck the box “send deleted items to trashcan”.

Bad trans

In reply to Have you been hit the “BadTrans” worm?

For a 120 user company, my email protection reported 296 infected incoming mails over the weekend. Our Norton a/v for exchange stopped them all. All I keep telling users is not to open strange emails (I mean really make them aware) and just keep allour PCs servers completely up to date. Auto update of a/v signatures caught Bad trans almost immediately.

How good is the Sophos product?

In reply to Bad trans

I haven’t been hit yet and have NAV 2002.

I am looking at Sophos for some potential customers. Can anyone tell me how good it is?

Thanks
Hyam

I love Eudora :-)

In reply to Have you been hit the “BadTrans” worm?

I have been using Netscape and then Eudora for email for ever at home, but I made the mistake of setting up Outlook Express for my daughter to use on my PC. We had a very bad Nimda attack that choked our mail server for hours with bounce messages.

After that, I imported her email and addresses into Eudora and uninstalled Outlook Express. All quiet on the western front, except for a strange bounce message sent to postmaster which was obviously automated by some virus. On examining the headers, we were surprised to see the mailer set as Outlook. The light bulb went ca ching! and I deleted *.wab from my machine.

No BadTrans problems this time around, so I think I’ve probably instituted the best preventative (aside from Trend Micro’s sniffer).

If you’re thinking of ditching Outlook/Outlook Express – don’t forget to delete your old address books too!

Flick

Hit 27 times in 5 days

In reply to Have you been hit the “BadTrans” worm?

We have been hit 27 time. Norton AntiVirus for e-mail has stop all 27 copies. Four of our employee has pickup the virus on their home machines. Two did not have a antivirus installed.

Zone Alarm firewall stopped KERNEL32.EXE

In reply to Have you been hit the “BadTrans” worm?

I was clobbered [W98SE + IE/OE5] a few days ago – opened an e-mail in OE, quick flash of a dialog box and I thought ‘oh oh’ – seems I would have been ok if I’d read via web based Hotmail instead. My Zone Alarm firewall kept asking me if I wanted KERNEL32.EXE to access the net to which I said no. Nobody in my address book [as far as I can tell] was infected. Also had a tip whereby putting !000 [could be anything I guess] in my address book stops a virus spreading. Apparently a virus that tries to mail out fails at this first attempt and ‘gives up’.

ZA still showed K32.exe….

In reply to Zone Alarm firewall stopped KERNEL32.EXE

after cleaning up and re-booting.

Autoload of ZA has K32 in it still, have I missed something? or is it just held in ZA?

I can not stress enough….

In reply to Have you been hit the “BadTrans” worm?

Every time there is a new/variant virus. I keep hearing the “My AV product caught it, after the update, blah blah blah”.

We, sys/mail admins, need to get out of the reliance of AV products to do the work for us.

The problem is, is that not all virus defintions are known/in AV products definition files.

Since it is plausible to assume that most viruses travel by attachments in e-mail. It would then be prudent of us to block and quarrantine extensions.

Here is why.

A new virus comes out that let’s say uses the vbs extension. Before the AV vendors can write the definition for it, someone has to get infected and they would need the virus sent to them.

Next, they have to write the definition and send out the update. Next your AV product would have to download and install the update.

This could result in many infected e-mails to slip by yout AV scanner undetected.

However, by blanket blocking the vbs extension. You are assured that the new virus would never reach your users.

Fine it can be argued that this will block legitimate files. As long as you quarrantine the files so that only admins can retrieve them. Your users should have no issues requesting the legitimate files from you.

Remember, the e-mail system does not belong to your users. It belongs to you. It is your responsibilty to keep your network and users protected at all times.

in responce to badtrans

In reply to Have you been hit the “BadTrans” worm?

click the start/run,,, type Regedit,, then hit the enter key ,,,double click the following ….HKEY_LOCAL_MACHINE,,,, IN THE RIGHT PANEL LOKK FOR KERNAL32,,, CLICK THE REGISTRY VALUE AND DELETE IT…… RESTART YOUR SYSTEM , RUN A NEW SCAN AND KEEP YOUR SECUITY UP DATED THIS SHOULD RID YOUR COMPUTER OF THE WORM . GOOD LUCK !!!!

Not using Outlook

In reply to Have you been hit the “BadTrans” worm?

This is just another reason NOT to use Outlook or Outlook Express. I am using another email program, and it didn’t process the attachment, which would have been filtered by my virus checker anyway. Several others who ARE using Outlook were infected.

Almost Got me!

In reply to Have you been hit the “BadTrans” worm?

I was using a trial edition of Computer Associates new EZ-trust anti-virus and it had timed out. I didn’t know it was still running since the system tray had disappeared but fortunately CA had mercy on me and the real time protection was still running as I popped my e-mail, saw what I thought was a legitimate e-mail and bam! There was a message from the antivirus saying that hamster.doc.pif was infected and had not been restored. I immediately deleted the e-mail.

I also shutoff the autopreview mode in Outlook and Outlook express on all my accounts. I think it’s time to check into a different e-mail program, one that’s not such a big target for hackers…….

I install CA’s anti-virus on all my customers computers and I’m glad tosay that not once has any of them received a virus! The trick is to put the autodownload in the startup menu……………..that way everytime they start the computer the AV wants to go out and get the updates!!

My advice to everyone, getthe AV updates religiously and be careful of any e-mail you open!

Sound, or fury

In reply to Have you been hit the “BadTrans” worm?

Was hit at home. No virus detector.
I have _sounds_ associated with all program openings/closings, so if a program does something in the background, I hear it.
The worm, an attach to an email from a friend I haven’t heard from in five years, opened and closed two programs, but did nothing else.
When this happens, I know something that wasn’t _supposed_ to happen, has.
Recopying the offender to floppy, examined with a filereader, read what little English was in the code, then went surfing for an ID and a cure.
It was a bother, but nothing to be terrified about, and the little bugger failed to alter my WIN.INI file, although it installed the rest of its baggage.
Dropping to DOS is good. I stayed with DOS far beyond its time (I still miss it), doing W98 only a few years ago.
Today’s viruses can’t handle pure DOS….
You have to reboot-to-DOS (W95/98/etc.) to manually get rid of the worm anyway.

7 hits/7 misses

In reply to Have you been hit the “BadTrans” worm?

i run OE 6.0 and have a message rule that moves email with no body text to a separate folder called ‘virus’.

the first badtrans hit was from a friend of mine and it had a subject of bin Laden.

when i clicked on’save’ to desk top so i could right click and scan, my AV which is AVG 6.0 messaged me, identifying the virus inclusive of the 2 file endings and deleted the infected file.

since then I have been hit almost once a day and from people i don’t know, always with no text in the emailbody and always with an attachment.

i merely ‘double delete’.

hid by

In reply to Have you been hit the “BadTrans” worm?

Date 12/1/2001 w32.badtrans.B@mm from INDIA
12/02/2001 W32.Magistr.39921@mm
from autralia

detected by Virus scanner

Kind regards
John Nivard

Inbox has been emptied

In reply to Have you been hit the “BadTrans” worm?

Has there been any talk of this virus emptying the entire inbox? This happned to a user, and the only message that appeared was a new “Welcome to Outlook” message. No other trace of a cirus though…

Weird Problem after Possible Infection

In reply to Inbox has been emptied

What happened on my home PC after I opened the e-mail is that it tried to open Windows Media Player!?!??!

I searched the registry but didn’t find any entries in the run once, also didn’t find any of the files that have been mentioned. There are some *.nls files but dated back to 99 (are there legitimate *.nls files?).

I’m wondering if I can uninstall media player and re-install?

Any ideas?

My Inbox Was Emptied Too

In reply to Inbox has been emptied

I got hit a few days ago. I use Netscape because so many viruses seem to target Outlook or Outlook Express. As I was downloading mail, I had started opening the first mail while the others were still streaming in, and McAfee popped up a dialogue boxtelling me it had detected a virus. I clicked Delete File, and then found my entire Inbox had disappeared. It was not in Trash and I was unable to locate it anywhere.

BadtransB Virus

In reply to Have you been hit the “BadTrans” worm?

I received an e mail which attempted to infect my P.C. running Windows XP and Norton Antivirus 2002.

Norton stopped it dead in its tracks and deleted the e mail, sadly this meant I do not know who sent it to me and could not let them know they had.

I will block e mails with attachemnts with the suffix’s suggested by Symantic in future.

BadTrans and BT

In reply to BadtransB Virus

For all those BT openworld users BT actually
inadvertently sent badtrans to all its users
I Received badtrans via e-mail got rid of it manually. also got a tip to put this in the address book !10A-Viruskiller@ whether it works or not is another matter

Paul

Fun.mp4.pif??

In reply to Have you been hit the “BadTrans” worm?

I don’t use antivirus software by choice, but I also do not open any online greeting cards, or attachments unless I know who sent it and I was expecting it. Even if they have a note included saying that they sent I I double check!

Last week I got an email with absolutely no text in the body offering any explination but it had an attachment called “Fun.mp3.pif”. It may or may not be the real thing but I’m opening it either way! If I permently delete the email from Outlook Express will can come back to bite me, or do you have to have antivirus software to be able to completely disable it?

Thanks

NAV for GATEWAYS – faling

In reply to Have you been hit the “BadTrans” worm?

I’m getting the BadTrans worm on a daily basis. Norton that is installed on my local machines are finding and cleaning this worm, however My Norton AV for Gateways is not catching this coming through outside email.

Followed directions, but still need help

In reply to Have you been hit the “BadTrans” worm?

I “caught” BadTrans.B. Looked at Symatec’s, Norton’s, and Trend’s advice on getting rid of it. Followed directions and thought I was done. Installed PC-cillin 2000. Went tree days without a hitch, but then it came back. Come to find out, my _RESTORE\TEMP folder has 36 files infected (I have Win ME of a Dell 4100 Dimension). I have not been able to remove any (didn’t think I could). Dell says I need to fdisk and start over. Any suggestions? Is this the only option? – revfred@cis.net

Points to consider cleaning badtrans b

In reply to Followed directions, but still need help

Have you disable the restore function and run the fix bad tran tools found at
http://www.norton.com/avcenter ?

IF you are using Internet Explorer
Have you install IE 5.5 sp2
to block virus like badtrans b that exploit
bugs in outlook express

Bless you!

In reply to Points to consider cleaning badtrans b

Bless you my friend! That is the info I was looking for. I wish I had seen it last week! Again, thank you!!

Bad Trans, showed up at my doorstep

In reply to Have you been hit the “BadTrans” worm?

I recieved it as “sorry about last night.mp3.pif” Mc Afee was set for programs only, and didn’t catch it. I suspected it to be a virus, so I didn’t open it. I set McAfee for all files, and it scanned it as a virus. I would recommend that you set your scanners for “scan all files” to be on the safe side.

Some other versions to watch for!

In reply to Have you been hit the “BadTrans” worm?

I have received about 4 of these virus threats, they had these forms::::
WS.Badtrans39921@mm
and
W32.Maistr.39921@mm

Bad Trans

In reply to Have you been hit the “BadTrans” worm?

I have not been hit but am curious if Bad trans sends “secrets” out from peoples machines

why cannot this mail address not be traced and something done about it

I have been hit

In reply to Have you been hit the “BadTrans” worm?

I was hit bye the BadTrans worm …..I followed all the instructions on how to get rid of it…..but when I check in the registry as instructed by Tech republic I didnt now have kernell32.dll in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce\Kernel32=kernel32.exe
and my version of Kernel32.dll is not new, its august 2000

however I did just find Inetd.exe file, so I deleted it, my virus scanner still picks it up. as being in c:\_retore\temp\A0021069.cpy. I am unable to find this as there are only 4 dlls in that directory I am using AVG bygrisoft.com .
anyone got any suggestions please

BadTrans

In reply to Have you been hit the “BadTrans” worm?

I was hit, it was under the title of Re: wens. The first i knew of it was when i got mesg from my email server returnig the mesg it sent, It was trying to send itself on!!
It was a total pain to remove, 2 Anti virus Programs (with updates) failed to locate or reconise the virus. Eventulaly F-secure found it and helped me delet it.

BadTrans hit

In reply to Have you been hit the “BadTrans” worm?

1.12.01
1st sign of hit when ‘netwatcher virus’ messages tell me that e-mails had been stopped. Norton update had not installed properly so no detection; had to re-install, update rescue disks and then run these in DOS in order to delete BadTrans. I think (& hope)I’m now clear. If only I’d been running AntiVir as this detected it straight away; I only run as a backup though as it’s rescue disks are naff?

I’ve gotten 8 copies of “BadTrans”

In reply to Have you been hit the “BadTrans” worm?

Norton caught all of them but it is getting silly. I’ve gotten e-mail with it from .nz and .no as well as from several friends who were infected.

BadTransB

In reply to Have you been hit the “BadTrans” worm?

We got hit on 12/3. The email came in with no subject and the virus appeared to be attached to the header. It put kernel32.dll and kdll.dll (trojan) in windows/system. Our antivirus had not been updated in 9 days. After update, it found and killed the virus by deleting both files. As far as we know, we caught it before it could spread. It ultimately took about 45 minutes to recover from the attack.

Read this

In reply to Have you been hit the “BadTrans” worm?

You are not going to believe your eyes…
http://communities.msn.com/eXPerienceWindows/general.msnw?action=get_message&mview=0&ID_Message=249&LastModified=4675349555534276517

Anti Virus on server – email freezes up

In reply to Have you been hit the “BadTrans” worm?

I have just spent 2 days with no email coming down to my mail server (mail going out was fine). The reason was that Norton AV (which is installed on my W2K servers and workstations) was catching the virus as the mail downloaded, the virus was successfully quarantined. The message however never appeared in Exchange 5.5 (SP3) and subsequent (un-infected mails) would not download. It was alomost as if the act of catching the virus froze up exchserver. I spent 2 days trying to fix this problem (whith numerous calls to my mail hoster who could not figure it either). Even by deleting the infected mails directly from the remote server through webmail I could not get rid of them faster than they were coming in. Only last night it occurred to me that the infected emails would never be opened on the server (it has all the patches and IIS is disabled as well anyway) – I then turned off my anti virus on the server and the mails I had spent hours trying to cajole down flooded into exchange with no adverse effect virus wise to the server. I then re-enabled Norton on the server. Today my client machines are dealing absolutly fine with infected mails through the anti virus installed on the client. If only I had thought of this approach earlier (or been bold enough to try it), I am surprised that I found nothing on the net mentioning this problem, am I the only one or does anyone know of a workaround that does not involve disabling anti virus on the exchserver??

Yes I have been Hit!

In reply to Have you been hit the “BadTrans” worm?

I just got a new PC with Windows XP and I was in the process and getting it all set up when I got hit with the virus. My questions is in order to remove the virus from an XP system, is it the same process as the one for Windows NT, Windows 2000, Windows ME or is it a completely different steps that must be taken?

Got hit but saved by A/V proggie

In reply to Have you been hit the “BadTrans” worm?

Our PC with the web connection got hit, I think from an email my father-in-law sent us the other day, that behaved strangely. CA’s InoculateIT PE whacked the sucker on boot-up though, and after applying the latest CA update (we were only 1 day out of date) a thorough scan of all drives winkled the mother out and destroyed it.

I got it

In reply to Have you been hit the “BadTrans” worm?

An e-mail with no subject, no text.
Just an attachment.
As I clicked on it in order to delete it, eSafe began yelling.
After an update of virus signatures, a scan made little later showed that a file called kernel32.exe was infected and eSafe deleted it.
Another file called CP_25389.NLS was also infected and got deleted.
A file called :
C:\_restore\A933274106.CPY seems to be infected but it could not be deleted and I am unable to locate it.
So I renamed C:\_restore to C:\_restore0 waiting for an opportunity to reinstall WinMe.

Best regards,

Michel

Not yet!

In reply to Have you been hit the “BadTrans” worm?

I’m a SA for my company and currently use NAV for NT/Exchange. Does NAV protect against this virus? Our servers have been programmed to delete all emails with .scr and .pif attachements. About this Kernel32=kernel32.exe, is there anyway I can create a script to check for this, or must I go to EVERY user, server, etc?
Thanks!

I have email address of Culprit

In reply to Have you been hit the “BadTrans” worm?

Rec’d email from John Hoek w/ Intuit.pif attchmt which I opened to “System File Checker” wizard…I have prnt-scrn of all as proof in jpg format. Got address: hoek5@home.com ’cause I sent thanx (as my system un-clogged upon using wizard) Then friends replied to mail I didn’t send…HE did, using my website name & the word “resume” & pif icon. His orig. message I copied to paste here:

It is a last attempt to establish the proper setup of a product that has Internet Client integrated.

Filename: intuit.reg

Contents:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient]

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\SharedPath32]
@=”C:\\WINDOWS\\Intuit\\Shared\\”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup\IEPreferred]
@=”FALSE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup\CNCInstalled]
@=”TRUE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup\ShowDiagnosticOption]
@=”TRUE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup\EnableDiagnosticDataUpload]
@=”TRUE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\Setup\International]
@=”FALSE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\ISP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\ISP\ConnectTo]
@=”www.qfn.com”

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Intuit\InternetClient\SSL\AllowResume]
@=”TRUE”

Procedure for Use:
Export the user’s entire registry to a file.
Copy the file to an external media.
Copy the intuit.reg to the user’s temp directory.
Double click the intuit.reg file. A message “Information. hasbeen successfully entered into the registry.

[Author]

Replies