I've gotten over a dozen messages with the W32/BadTrans.b@MM virus! Here's how to get rid of it.

#1 · November 28, 2001, 4:53 pm

Quote from Forum Archives on November 28, 2001, 4:53 pm
Posted by: homenews <homenews@...>

Hello Hope Chest friends!

I don't know if you've noticed a new virus the past few days, but I've
gotten over a dozen "blank" messages, with the sender's address starting
with a _ symbol, and a subject line Re: of some message I had sent out in
the past several months. Actually, for those whose mail is read by
Outlook, the supposedly empty body of the e-mail has a hidden virus in
it. I don't use Outlook, so I was not infected, and to my knowledge,
have not passed anything on. But many of you ARE infected and don't even
know it.

I have, by the way, updated my anti-virus protection and run a full scan
on my computer. I am virus-free.

After I got several of these suspicious messages, I posted on our local
home school loop looking for information, and a lady named Lois was kind
enough to respond:

~~~

Below is an explanation I received from another mailing list. You do
need to update your virus definitions -- every week is not too often.
This particular virus is a sneaky one: it doesn't come as an attachment,
but is actually embedded in the email. If you are using Outlook as your
mail reader, and you have opened the email, your computer is infected.
Instructions for how to clean it up are included below. It's not a
particularly harmful virus (won't destroy anything on your computer), but
it will send out lots of annoying emails to everyone it can find.

~~~

Text of explanation:

Dear List Members,

I think it would benefit all of you to take the
time to read this explanation, as it will explain further, and in more
detail, how this nasty virus works.

It is called "W32/BadTrans.b@MM". It is quite different from the
original
"W32/BadTrans@MM" virus.

First, here's how it works. When a user becomes infected, the next time
he/she reboots the computer, the virus goes through the user's email
program
and looks for unread emails in all the mailboxes. It picks some of
these,
makes a reply to them, and sends itself.

Here's the kicker. It uses the infected persons email address as the
sender, BUT it adds "_" (underscore) before the real address. The
subject
line will probably have nothing but "RE:" (nothing else). The body of
the
email will be completely blank. There are no attachments, so there is
nothing to click. The virus is embedded in the body, with cute code to
hide
it; the recipient never sees anything but a totally blank message.

(I'm adding this after I finished the email. I just discovered a problem
when searching for FROM: addresses that start with <_. There is a
problem
with people who have their email program set to show both their name and
email address in the FROM: header. If such a person is infected, mail
from
him/her will show, in the header, something like the following:

"John Doe" <[email protected]>

The FROM: element in the header you see before you open the email will
show
only "John Doe". That's a problem. Either set up a filter to divert
infected emails to a separate mailbox, or make sure your system is
COMPLETELY protected before you open or preview any more emails.)

In addition, the virus tries to dig through the infected person's
computer
and send email addresses, credit card numbers, bank account numbers,
passwords, etc., back to the writer of the virus.

Anyone using OUTLOOK (not Outlook Express) will infect his/her computer
if
he/she merely OPENS (reads) or PREVIEWS the email. The email has no
attachment to click to activate it; it is activated by opening it, by the
hidden HTML code in the email.

Again, the virus makes use of the ms01-027 exploit, which means that the
virus can execute on READING or PREVIEWING the email from within OutLook
-
it is not necessary to double click on any attachment, since the email
contains no TEXT or ATTACHMENT. The virus is EMBEDDED in the body, but
formatted NOT to appear, thus you get a completely blank message if you
WERE
to open it, which would mean you are already infected when you open the
email, IF you haven't done all the following:

1) Installed an Anti-Virus (AV) program;
2) Kept it updated with the latest data files;
3) Have your AV program configured properly to detect email viruses;
4) Downloaded and installed the MS patches for MSIE 5.01 and 5.5.

The patch to fix this exploit has been available from Microsoft since May
16, 2001 !!!!!!!!!!

Where to read the Microsoft Bulletin MS01-027, dated May 16, 2001, and
links
for downloading the patch for MSIE 5.01 and 5.5:
<www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity
/bulletin/MS01-027.asp>

Where to read about the W32/BadTrans.b@MM Virus:
<www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607>
<www.messagelabs.com/viruseye/report.asp?id=86>

Evidently, MSIE 6.0 is not affected, since all the patches for 5.01 and
5.5
were incorporated into it. But, to be sure, make sure you go to the
Windows
Update page and check to see which patches your system needs.

<windowsupdate.microsoft.com/>

I have seen emails on some of the Lists to which I subscribe, where
obstinate users absolutely refuse to install an Anti-Virus (AV) program.
They claim they are intelligent and experienced enough to never become
infected. NOT SO !!!!! This latest atrocity is being spread by some of
these "superior" users. What users without AV programs don't understand
is that they are doing all the rest of us hundreds of million users a
great
disservice. I'm tired of downloading dozens of messages every day
containing this virus (and others).

Someone else will have to provide the information for Norton and other AV
programs, but here is what I know about McAfee:

You must have version 4.x or later installed; You must be using the
4.0.70
or later engine; You must be using the 4172 or later data file; You must
correctly configure McAfee to catch viruses in emails and downloaded
files.

Furthermore, IF you are using Outlook (not Outlook Express):

You MUST not open suspicious emails, or preview them; You must look at
the
From: header; if it has an address similar to this,
<[email protected]>, DON'T open it; all the addresses of the
infected
persons will be real, except they will have the _ (underscore) in from of
them. If you open or preview an infected message in Outlook, it's too
late!
You're already infected!

One further thing. If you DO use an AV program, it is imperative that
you
check for updates often -- at least daily, and, with these souped-up
virus
versions starting to come out, 2-3 times a day wouldn't hurt.

****Addition for OE and Eudora users: Set up a filter that looks for <_
in
any header;
set it to transfer all such emails to a special folder (such as
Infected-Email); make sure you also select "Skip Rest" in the second
Action
box; then move this filter to the very top of your filters.

Posted by: homenews <homenews@...>

Hello Hope Chest friends!

I don't know if you've noticed a new virus the past few days, but I've
gotten over a dozen "blank" messages, with the sender's address starting
with a _ symbol, and a subject line Re: of some message I had sent out in
the past several months. Actually, for those whose mail is read by
Outlook, the supposedly empty body of the e-mail has a hidden virus in
it. I don't use Outlook, so I was not infected, and to my knowledge,
have not passed anything on. But many of you ARE infected and don't even
know it.

I have, by the way, updated my anti-virus protection and run a full scan
on my computer. I am virus-free.

After I got several of these suspicious messages, I posted on our local
home school loop looking for information, and a lady named Lois was kind
enough to respond:

~~~

Below is an explanation I received from another mailing list. You do
need to update your virus definitions -- every week is not too often.
This particular virus is a sneaky one: it doesn't come as an attachment,
but is actually embedded in the email. If you are using Outlook as your
mail reader, and you have opened the email, your computer is infected.
Instructions for how to clean it up are included below. It's not a
particularly harmful virus (won't destroy anything on your computer), but
it will send out lots of annoying emails to everyone it can find.

~~~

Text of explanation:

Dear List Members,

I think it would benefit all of you to take the
time to read this explanation, as it will explain further, and in more
detail, how this nasty virus works.

It is called "W32/BadTrans.b@MM". It is quite different from the
original
"W32/BadTrans@MM" virus.

First, here's how it works. When a user becomes infected, the next time
he/she reboots the computer, the virus goes through the user's email
program
and looks for unread emails in all the mailboxes. It picks some of
these,
makes a reply to them, and sends itself.

Here's the kicker. It uses the infected persons email address as the
sender, BUT it adds "_" (underscore) before the real address. The
subject
line will probably have nothing but "RE:" (nothing else). The body of
the
email will be completely blank. There are no attachments, so there is
nothing to click. The virus is embedded in the body, with cute code to
hide
it; the recipient never sees anything but a totally blank message.

(I'm adding this after I finished the email. I just discovered a problem
when searching for FROM: addresses that start with <_. There is a
problem
with people who have their email program set to show both their name and
email address in the FROM: header. If such a person is infected, mail
from
him/her will show, in the header, something like the following:

"John Doe" <[email protected]>

The FROM: element in the header you see before you open the email will
show
only "John Doe". That's a problem. Either set up a filter to divert
infected emails to a separate mailbox, or make sure your system is
COMPLETELY protected before you open or preview any more emails.)

In addition, the virus tries to dig through the infected person's
computer
and send email addresses, credit card numbers, bank account numbers,
passwords, etc., back to the writer of the virus.

Anyone using OUTLOOK (not Outlook Express) will infect his/her computer
if
he/she merely OPENS (reads) or PREVIEWS the email. The email has no
attachment to click to activate it; it is activated by opening it, by the
hidden HTML code in the email.

Again, the virus makes use of the ms01-027 exploit, which means that the
virus can execute on READING or PREVIEWING the email from within OutLook
-
it is not necessary to double click on any attachment, since the email
contains no TEXT or ATTACHMENT. The virus is EMBEDDED in the body, but
formatted NOT to appear, thus you get a completely blank message if you
WERE
to open it, which would mean you are already infected when you open the
email, IF you haven't done all the following:

1) Installed an Anti-Virus (AV) program;
2) Kept it updated with the latest data files;
3) Have your AV program configured properly to detect email viruses;
4) Downloaded and installed the MS patches for MSIE 5.01 and 5.5.

The patch to fix this exploit has been available from Microsoft since May
16, 2001 !!!!!!!!!!

Where to read the Microsoft Bulletin MS01-027, dated May 16, 2001, and
links
for downloading the patch for MSIE 5.01 and 5.5:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity
/bulletin/MS01-027.asp>

Where to read about the W32/BadTrans.b@MM Virus:
<http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607>
<http://www.messagelabs.com/viruseye/report.asp?id=86>

Evidently, MSIE 6.0 is not affected, since all the patches for 5.01 and
5.5
were incorporated into it. But, to be sure, make sure you go to the
Windows
Update page and check to see which patches your system needs.

<windowsupdate.microsoft.com/>

I have seen emails on some of the Lists to which I subscribe, where
obstinate users absolutely refuse to install an Anti-Virus (AV) program.
They claim they are intelligent and experienced enough to never become
infected. NOT SO !!!!! This latest atrocity is being spread by some of
these "superior" users. What users without AV programs don't understand
is that they are doing all the rest of us hundreds of million users a
great
disservice. I'm tired of downloading dozens of messages every day
containing this virus (and others).

Someone else will have to provide the information for Norton and other AV
programs, but here is what I know about McAfee:

You must have version 4.x or later installed; You must be using the
4.0.70
or later engine; You must be using the 4172 or later data file; You must
correctly configure McAfee to catch viruses in emails and downloaded
files.

Furthermore, IF you are using Outlook (not Outlook Express):

You MUST not open suspicious emails, or preview them; You must look at
the
From: header; if it has an address similar to this,
<[email protected]>, DON'T open it; all the addresses of the
infected
persons will be real, except they will have the _ (underscore) in from of
them. If you open or preview an infected message in Outlook, it's too
late!
You're already infected!

One further thing. If you DO use an AV program, it is imperative that
you
check for updates often -- at least daily, and, with these souped-up
virus
versions starting to come out, 2-3 times a day wouldn't hurt.

****Addition for OE and Eudora users: Set up a filter that looks for <_
in
any header;
set it to transfer all such emails to a special folder (such as
Infected-Email); make sure you also select "Skip Rest" in the second
Action
box; then move this filter to the very top of your filters.