[Admin] Details on virus
- This is being sent with permission of the original poster "Sgt George"
who really knows his "stuff" about viruses. It's kind of technical, but
read it all the way through for an explanation of what is going on. It's
affecting yahoogroups lists as well as Rootsweb.
Sgt George has given permission to share this information with others.
If you do , please take my comments off.
Thanks to Emma, Shamrock listmember , for sharing this.
Maura, listowner Shamrock, CountyCork, Waterford, SlovakRoots
----- Original Message -----
From: "Big Sister - Yshire Listowner" <yshireuk@...>
Subject: [VIRUS] FROM VIRUS-DISCUSSION LISTOWNER -
EVERYONE PLEASE READ
OK, let's see if I can explain this so that everyone understands how
these latest viruses, trojans, and worms work.
Let's start with the very latest, W32/Badtrans@MM, also seen as
W32/Badtrans@M. Here are other aliases that have been found:
There are several things about this one that need to be discussed, how
it is spread, and the danger to the infected user's computer.
1) W32/Badtrans@MM is received as a REAL attachment (more about "real"
vs. "inline" attachments later). It comes as an actual file attachment,
which is downloaded to a user's computer into whatever directory is set
up for such downloads. For Eudora, Pegasus, and other "stand alone"
email programs, this will be something like "Downloads", "Attachments",
etc. For MS Outlook and MS Outlook Express, I'm not sure where a
separate attached file is placed.
2) A user's computer is NOT infected UNTIL he/she clicks on the
attachment and "runs" it, that is, executes it so that it does whatever
it's supposed to do.
3) Once a user clicks the attachment, it installs itself on to the
user's computer. It then does two things:
a) It propagates itself so that every time the system is rebooted, it
mails itself to the sender of EVERY UNREAD EMAIL in the user's MS
Outlook FOLDERS. Notice that I say "folders", not "folder". That means
that if you filter incoming email into various created folders, this
trojan/virus searches all of them, not just the IN BOX.
HERE'S THE REALLY DIRTY PART: The virus looks through all those unread
emails; it finds the originator of them (FROM:) and REPLIES to the
person who sent the original email. BUT, it also attaches a copy of the
infected file and mails it along with the "reply". Thus, if John Doe
sends an email to a person, or to a Mailing List, when that email ends
up on another user's email program, and that
other user is infected and hasn't read John's email, John receives a
reply containing a copy of the virus as a separate clickable file.
HERE'S WHY USERS KEEP INSISTING THAT VIRUSES CAN BE SPREAD BY ROOTSWEB
MAILING LISTS, AND WHY THEY THINK THE ATTACHMENT CAME THROUGH A MAILING
LIST: Let me give an example -
John Doe sends a post to the SMITH-L Mailing List. John Doe's system is
NOT infected. Every one of the 2,000+ users of the SMITH-L Mailing List
receives a copy of John's email. One of these users, let's call him Bill
Smith, has the W32/Badtrans@MM virus on his system.
Now, Bill has a copy of John's email in his Outlook program. He doesn't
read it right away. He reboots his computer and, when Windows restarts,
the virus looks through Bill's email in Outlook. It sends a reply to the
sender of EVERY unread email, AND attaches a copy of itself as a
separate attachment. It copies all the original headers, including those
that show the email came through SMITH-L@....
Then John, the original sender of the email, receives a "reply" to his
email, from Bill. John looks at the email and sees that it is a reply to
his original post. He also sees SMITH-L@... in several of the
headers. As far as he's concerned, he has received a normal reply back
through the Mailing List.
If John is a "newbie", one of two things happen:
I) He sees an attached file, with a message something like,
"Take a look to the attachment." He says to himself, "This Bill Smith is
answering my original post, AND he has sent me an attachment which is
probably a file having something to do with information on my query." He
clicks the attachment; thus ANOTHER SMITH-L Mailing List user is
II) He is savvy enough to know NOT to open the attachment, BUT from the
looks of the "reply" it appears that it came back to him via the Mailing
He screams and curses, and says, "I knew it! I don't care what the
Listowners and the folks at Rootsweb say, these virus attachments ARE
coming through the Mailing List!"
He then posts angry posts to all the Mailing Lists to which he
subscribes, calling the Listowners and Rootsweb people liars. He thus
starts another round of
uninformed posts about how attachments CAN be passed through Mailing
Lists, and about how viruses CAN also be passed through the Lists.
In short, this virus/trojan tricks recipients of infected email into
thinking the virus is being propagated via a Mailing List. NOT SO !!!!!
b) The other thing this virus/trojan does is this: Once running, the
trojan attempts to mail the victim's IP Address to the author. Once this
information is obtained, the author can connect to the infected system
via the Internet and steal personal information such as usernames, and
passwords. In addition, the trojan also contains a keylogger program
which is capable of capturing other vital information such as credit
card and bank account numbers and passwords.
4) THIS IS WHY EVERY COMPUTER USER MUST HAVE A FIREWALL ON HIS/HER
COMPUTER !!!!! It doesn't matter whether you are using a dialup modem, a
cable modem, DSL, or whatever, you NEED a firewall. A firewall is
nothing more than a small utility that prevents malicious people from
entering your system through a "back door". Once such a person has your
IP address, he/she can connect to your computer any time your modem is
connected, which is 27/7 for everyone but those using a dialup modem. Of
course, a dialup modem is accessible only when you are actually
5) So, PLEASE, let's stop this latest round of blaming Rootsweb Mailing
Lists for allowing attachments, and for propagating viruses, trojans,
worms, etc. I know that in the future, as new users subscribe, many of
them will come to the same erroneous conclusions and start the thread
all over again. They should be politely, but firmly, advised of the true
6) VERY IMPORTANT POINT: Some users insist that email from Mailing Lists
always comes as attachments. Not so! SOME email programs, such as MS
Outlook/ Outlook Express and AOL, convert ALL List email into
attachments. This is one of the most serious problems with such
programs, and causes users to think that they are receiving "real"
"REAL" attachments are FILES that are outside the body of an email, and
come along with the email as a "rider". Other so-called "attachments"
are those that contain the actual text from the body of an email. This
is especially true for those subscribers to the Digest Mode of Lists. MS
Outlook and AOL extract the body text and put it into "attachments".
To the poster who was worried about "viruses going around on the
GEN-NEWBIE Mailing List": I hope you can see from the above that the
viruses are being sent from infected users'computers, users who happen
to be receiving email from the List.
This point MUST be made: If any user receives an infected email, or an
infected attached file, and it appears to have come through a Mailing
List, IT DID NOT. Blame the problems, and resulting confusion, on a
virus-writer who is a little smarter than the average gomer.
To end, here's a list of the KNOWN file-names that the W32/Badtrans@MM
So far, I have received virus attachments with the names
Anyone reading this has my permission to copy it and repost to
individuals or other Mailing Lists.
George W. Durman
Endorsed by Kevin P Dodson
Endorsed by Tracy - Listowner, Eng-Yorkshire