Subject: WARNING - Badtrans.b virus

Further information

Many virus detection companies have received an increasing number of reports
from home users with a new variant of Badtrans, referred to as Badtrans.b.
AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to
HIGH RISK FOR CONSUMERS.

W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan.
The virus arrives via the Microsoft Outlook email program and attempts to
send itself by replying to unread email messages.

The email may contain the text "Take a look to the attachment" in the
message body and will contain an attachment that is 13,312 bytes in size.
The attachment name is created in three sections, for example, card.doc.pif.

Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted.
Further information follows.

> ----- Original Message -----
> From: "Cyber Sentry" <

virus report@antivirus.ie>
> To: <virus report@antivirus.ie>
> Sent: Monday, November 26, 2001 4:30 PM
> Subject: Virus Alert- November 26, 2001
>
>
> > Visit Cyber Sentry at www.antivirus.ie
> > ************************************************************************
> >
> > V I R U S A L E R T
> >
> > ------------------------------------------------------------------------
> > Date: November 26, 2001
> > ------------------------------------------------------------------------
> > WORM_BADTRANS.B (Low Risk)
> > ------------------------------------------------------------------------
> > This memory-resident Internet worm is a variant of WORM_BADTRANS.A.
> > It propagates via MAPI32, has a Key Logger component, and arrives with
> > randomly selected double extension filenames.
> >
> > It does not require the email receiver to open the attachment for it to
> > execute. It uses a known vulnerability in Internet Explorer-based email
> > clients (Microsoft Outlook and Microsoft Outlook Express) to
automatically
> > execute the file attachment. This is also known as Automatic Execution
of
> > Embedded MIME type.
> >
> > Aliases:
> > W32/Badtrans-B, BADTRANS.B
> >
> > Solution:
> >
> > 1. Delete the %System%\CP_25389.NLS file.
> > 2. Click Start>Run, type Regedit then hit the Enter key.
> > 3. Double click the following:
> > HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run Once
> > 4. In the right panel, look for following registry value: kernel32
> > 5. Click the registry value and then Delete it.
> > 6. Restart your system.
> > 7. Scan your system with our free Online Virus Scan:
> > http://www.cyber-sentry.com/index.mv?free_scan=1
> > and delete all files detected as WORM_BADTRANS.B
> >
> > ************************************************************************
> > For further information on viruses and the Cyber Sentry Virus Protection
> > System, visit our website at www.antivirus.ie