Loading ...
Sorry, an error occurred while loading the content.

[Admin] Details on virus

Expand Messages
  • mpetzolt2@webtv.net
    This is being sent with permission of the original poster Sgt George who really knows his stuff about viruses. It s kind of technical, but read it all the
    Message 1 of 1 , Apr 24, 2001
    • 0 Attachment
      This is being sent with permission of the original poster "Sgt George"
      who really knows his "stuff" about viruses. It's kind of technical, but
      read it all the way through for an explanation of what is going on. It's
      affecting yahoogroups lists as well as Rootsweb.

      Sgt George has given permission to share this information with others.
      If you do , please take my comments off.

      Thanks to Emma, Shamrock listmember , for sharing this.

      Maura, listowner Shamrock, CountyCork, Waterford, SlovakRoots

      ----- Original Message -----
      From: "Big Sister - Yshire Listowner" <yshireuk@...>
      From: VIRUS-DISCUSSION-L@...
      OK, let's see if I can explain this so that everyone understands how
      these latest viruses, trojans, and worms work.
      Let's start with the very latest, W32/Badtrans@MM, also seen as
      W32/Badtrans@M. Here are other aliases that have been found:
      Backdoor-NK.svr ,
      BadTrans (F-Secure),
      I-Worm.Badtrans (AVP),
      W32.Badtrans.13312@mm (NAV).
      There are several things about this one that need to be discussed, how
      it is spread, and the danger to the infected user's computer.
      1) W32/Badtrans@MM is received as a REAL attachment (more about "real"
      vs. "inline" attachments later). It comes as an actual file attachment,
      which is downloaded to a user's computer into whatever directory is set
      up for such downloads. For Eudora, Pegasus, and other "stand alone"
      email programs, this will be something like "Downloads", "Attachments",
      etc. For MS Outlook and MS Outlook Express, I'm not sure where a
      separate attached file is placed.
      2) A user's computer is NOT infected UNTIL he/she clicks on the
      attachment and "runs" it, that is, executes it so that it does whatever
      it's supposed to do.
      3) Once a user clicks the attachment, it installs itself on to the
      user's computer. It then does two things:
      a) It propagates itself so that every time the system is rebooted, it
      mails itself to the sender of EVERY UNREAD EMAIL in the user's MS
      Outlook FOLDERS. Notice that I say "folders", not "folder". That means
      that if you filter incoming email into various created folders, this
      trojan/virus searches all of them, not just the IN BOX.
      HERE'S THE REALLY DIRTY PART: The virus looks through all those unread
      emails; it finds the originator of them (FROM:) and REPLIES to the
      person who sent the original email. BUT, it also attaches a copy of the
      infected file and mails it along with the "reply". Thus, if John Doe
      sends an email to a person, or to a Mailing List, when that email ends
      up on another user's email program, and that
      other user is infected and hasn't read John's email, John receives a
      reply containing a copy of the virus as a separate clickable file.
      LIST: Let me give an example -
      John Doe sends a post to the SMITH-L Mailing List. John Doe's system is
      NOT infected. Every one of the 2,000+ users of the SMITH-L Mailing List
      receives a copy of John's email. One of these users, let's call him Bill
      Smith, has the W32/Badtrans@MM virus on his system.
      Now, Bill has a copy of John's email in his Outlook program. He doesn't
      read it right away. He reboots his computer and, when Windows restarts,
      the virus looks through Bill's email in Outlook. It sends a reply to the
      sender of EVERY unread email, AND attaches a copy of itself as a
      separate attachment. It copies all the original headers, including those
      that show the email came through SMITH-L@....
      Then John, the original sender of the email, receives a "reply" to his
      email, from Bill. John looks at the email and sees that it is a reply to
      his original post. He also sees SMITH-L@... in several of the
      headers. As far as he's concerned, he has received a normal reply back
      through the Mailing List.
      If John is a "newbie", one of two things happen:
      I) He sees an attached file, with a message something like,
      "Take a look to the attachment." He says to himself, "This Bill Smith is
      answering my original post, AND he has sent me an attachment which is
      probably a file having something to do with information on my query." He
      clicks the attachment; thus ANOTHER SMITH-L Mailing List user is
      II) He is savvy enough to know NOT to open the attachment, BUT from the
      looks of the "reply" it appears that it came back to him via the Mailing
        He screams and curses, and says, "I knew it! I don't care what the
      Listowners and the folks at Rootsweb say, these virus attachments ARE
      coming through the Mailing List!"
      He then posts angry posts to all the Mailing Lists to which he
      subscribes, calling the Listowners and Rootsweb people liars. He thus
      starts another round of
      uninformed posts about how attachments CAN be passed through Mailing
      Lists, and about how viruses CAN also be passed through the Lists.
      In short, this virus/trojan tricks recipients of infected email into
      thinking the virus is being propagated via a Mailing List. NOT SO !!!!!
      b) The other thing this virus/trojan does is this: Once running, the
      trojan attempts to mail the victim's IP Address to the author. Once this
      information is obtained, the author can connect to the infected system
      via the Internet and steal personal information such as usernames, and
      passwords. In addition, the trojan also contains a keylogger program
      which is capable of capturing other vital information such as credit
      card and bank account numbers and passwords.
      COMPUTER !!!!! It doesn't matter whether you are using a dialup modem, a
      cable modem, DSL, or whatever, you NEED a firewall. A firewall is
      nothing more than a small utility that prevents malicious people from
      entering your system through a "back door". Once such a person has your
      IP address, he/she can connect to your computer any time your modem is
      connected, which is 27/7 for everyone but those using a dialup modem. Of
      course, a dialup modem is accessible only when you are actually
      5) So, PLEASE, let's stop this latest round of blaming Rootsweb Mailing
      Lists for allowing attachments, and for propagating viruses, trojans,
      worms, etc. I know that in the future, as new users subscribe, many of
      them will come to the same erroneous conclusions and start the thread
      all over again. They should be politely, but firmly, advised of the true
      6) VERY IMPORTANT POINT: Some users insist that email from Mailing Lists
      always comes as attachments. Not so! SOME email programs, such as MS
      Outlook/ Outlook Express and AOL, convert ALL List email into
      attachments. This is one of the most serious problems with such
      programs, and causes users to think that they are receiving "real"
      "REAL" attachments are FILES that are outside the body of an email, and
      come along with the email as a "rider". Other so-called "attachments"
      are those that contain the actual text from the body of an email. This
      is especially true for those subscribers to the Digest Mode of Lists. MS
      Outlook and AOL extract the body text and put it into "attachments".
      To the poster who was worried about "viruses going around on the
      GEN-NEWBIE Mailing List": I hope you can see from the above that the
      viruses are being sent from infected users'computers, users who happen
      to be receiving email from the List.
      This point MUST be made: If any user receives an infected email, or an
      infected attached file, and it appears to have come through a Mailing
      List, IT DID NOT. Blame the problems, and resulting confusion, on a
      virus-writer who is a little smarter than the average gomer.
      To end, here's a list of the KNOWN file-names that the W32/Badtrans@MM
      virus/trojan uses:
      So far, I have received virus attachments with the names
      "README.TXT.pif" and
      Anyone reading this has my permission to copy it and repost to
      individuals or other Mailing Lists.
      George W. Durman
      VIRUS-DISCUSSION Listowner
      Endorsed by Kevin P Dodson
      Endorsed by Tracy - Listowner, Eng-Yorkshire
    Your message has been successfully submitted and would be delivered to recipients shortly.