Date: Wed, 28 Nov 2001 10:56:03 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: New BadTrans Worm Strain ---------------------------------------- NEW STRAIN OF BADTRANS WORM ON THE LOOSE ---------------------------------------- An Internet worm known as BadTrans caused a lot of trouble early this year, but has mostly died out. A new strain, known as BadTrans.B, appeared on or about November 24 and is spreading VERY rapidly. It has already infected many BCPL.NET customers' PCs. The following is long, but we recommend that all BCPL.NET customers and BCPL staff read it completely. The following describes both the original BadTrans.A strain (since it still appears occasionally) and the new "B" strain. BadTrans.A is a mass mailing worm that attempts to send itself using Microsoft Outlook or Outlook Express by replying to unread email messages found in the infected PC's inbox. It also installs a remote access (back door) trojan. Once running, the trojan attempts to mail the victim's IP Address to the trojan's author. This makes it possible for the author to connect to the infected PC via the Internet and steal personal information such as usernames and passwords. The trojan also contains a keystroke logger program capable of capturing other vital information such as credit card and bank account numbers and passwords. An infected message sent by BadTrans.A is easily identified because the message text almost always contains the following: "Take a look to the attachment" If you receive a message containing that text, DO NOT OPEN THE FILE ATTACHMENT. BadTrans.B appeared on or about November 24, 2001 and is spreading rapidly. Infected messages sent by BadTrans.B are easily identified by the following characteristics: o There is no message text. o The "From:" address begins with an underscore (_). For example if the owner of the sending PC is "jdoe@bcpl.net", the address on the "From:" line will be "_jdoe@bcpl.net". o The infected file attachment has a double extension selected from the following combinations: .doc.pif .doc.scr .mp3.pif .mp3.scr .zip.pif .zip.scr If you receive an e-mail matching the above characteristics, DO NOT OPEN THE FILE ATTACHMENT. BadTrans.B spreads using Outlook Express in much the same way as BadTrans.A, but apparently gathers target e-mail addresses from a wider range of sources: From addresses found in read and unread mail stored on the infected PC, from addresses found in other files on the infected PC (cached Web pages, for example), and from address books found on the infected PC. BadTrans.B is especially dangerous because under certain conditions it can infect the recipient's PC even if he/she does not intentionally open the file attachment. Simply opening the infected message for reading will do the job. This occurs only if you use a version of Microsoft Internet Explorer and either Outlook or Outlook Express that have not been patched to fix a well-known "auto-open" bug. See the following URL for details on the vulnerability and the patch: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Like BadTrans.A, BadTrans.B installs a back door which can give the worm's author access to usernames, passwords and other security-related information. Only PCs with Outlook or Outlook Express can spread BadTrans via e-mail to other PCs. However any PC can be infected if the recipient intentionally opens the file attachment from a BadTrans-infected e-mail. BadTrans cannot infect Macintosh or UNIX computers. If you receive a BadTrans-infected e-mail, keep in mind that the apparent sender did not send it intentionally. Like all viruses and worms that spread by e-mail, BadTrans sends out its infected e-mail without the knowledge of the owner of the infected PC. The PC owner is not guilty of maliciously spreading a virus. He or she is guilty only of very foolishly opening an unexpected and unknown file attachment or (in the case of BadTrans.B) continuing to use old unpatched versions of Internet Explorer and Outlook or Outlook Express that are vulnerable to the "auto-open" bug mentioned above. For more detailed information on BadTrans.A and BadTrans.B see the following URLs: http://www.F-Secure.com/v-descs/badtrans.shtml (BadTrans.A) http://www.F-Secure.com/v-descs/badtrs_b.shtml (BadTrans.B) http://www.symantec.com/avcenter/venc/data/w32.badtrans.13312@mm.html (A) http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html (B) http://vil.mcafee.com/dispVirus.asp?virus_k=99069& (BadTrans.A & B) As we have said many times before, never Never NEVER open an unexpected e-mail file attachment, even if it appears to be from someone you know. If in doubt, before opening an attachment get in touch with the apparent sender to verify that he/she really meant to send the attachment. We recommend that anti-virus software be installed all PCs connected to the Internet. Once installed, its scanning engine and its virus description database MUST be kept up to date. Otherwise the anti-virus software will not be able to detect and clean new viruses. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091