Warning to anyone who has e-mailed tracey...

[Zbyszek]

Install Unix [img]graemlins/hehe.gif[/img] [img]smile.gif[/img]
I open my mail at Solaris first, and never ever use Outlook or other Miscrosoft mailing application under Windows.
(and if you have - install also last patches from Microsoft)

Zbyszek

[Memnoch]

People are getting more and more devious each day. Here's a report on the BadTrans virus.


Revamped virus hits Australia
While major anti-virus software vendors report the global threat as limited, Morgan told ZDNet Australia that the virus has become particularly prevalent in Australia since it was first detected on Saturday. A revamped version of the equally awkwardly named W32badtrans.13312@mn, the virus is designed to install a backdoor Trojan which picks up passwords by reading keystrokes.

Dinesh Rajalingam, technical director at the Melbourne-based Virus Defence Bureau points out that while the W32badtrans@mn is not as immediately destructive as some of the more virulent viruses, it is nonetheless capable of compromising the security of infected machines.


“It is not going to wipe your hard drive, but it will certainly pick up on all your passwords,” said Rajalingam. “Those most at risk are people with signature based virus protection, because they are unlikely to recognise the virus unless it has already been updated.”

Rajalingam said computer owners and users are better advised to implement behaviour-based anti-virus software, as it would register the unusual behaviour of the virus and neutralise it before it had time to compromise the system.
In a similar vein, Symantec is advising companies to revise e-mail filtering systems to make sure they block attachments with the extensions .scr and .pif.

David Banes, regional manager for Symantec's security response team, said the W32badtrans@mn was particularly hard to detect without software as it was constantly changing its three letter file type.

“This virus appears under a number of names both in terms of the attachment and the file type,” Banes said. “End users should update their anti-virus software and keep an eye out for any unusual e-mails.”

How it works

Badtrans.B arrives as e-mail. It replies to old e-mail, so the subject line is one that someone has already sent you, so you might be inclined to open it. The e-mail message itself is empty. Badtrans.B includes an attached file whose name is created from the following list:

FUN
HUMOR
DOCS
S3MSONG
Sorry_about_yesterday
ME_NUDE
CARD
SETUP
SEARCHURL
YOU_ARE_FAT!
HAMSTER NEWS_DOC
New_Napster_Site
README
IMAGES
PICS

The attachment is a DOC, MP3, or ZIP file, with a second extension of either SCR or PIF. For example, an attached file might be named Readme.doc.scr.

Users need not open the attached file to infect their machines. Badtrans uses a known vulnerability in Internet Explorer that automatically opens attachments. In this case, the attached file contains Troj.PWS-AV, a password-stealing Trojan horse. Troj.PWS-AV records all keystrokes and the application name where a keystroke was typed, storing it in encrypted form. The Trojan then connects to a SMTP server to send the log file to a Hotmail e-mail address.

Prevention

Badtrans.B uses a known vulnerability in Outlook Express that is included in Internet Explorer 5.01 and 5.5. Microsoft has released a patch. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6.

Removal

Most antivirus software companies have updated their signature files to include this worm. For more information on removing this worm from your system, see Central Command, F-Secure, Kaspersky,McAfee, Sophos, Symantec, or Trend Micro.



Update your virus definitions regularly and scan at least once a week. It's the best investment you'll make.