Virus alert

[JAMMAN]

Good thing no one on the forum is on my outlook express list. Norton calls it W32.Badtrans.B@mm

It is a variant of the Badtrans worm and from what I saw on the net it was discovered just a few days ago. If anyone needs to know how to get rid of it I just went through a 2 hour self training course. Simply opening the e-mail will launch it, you don't even have to run the attachment.

[Guest CNC Apps Guy 1]

Yeah, somebody sent me one similar. I have my e-mail set up to not run anything. It will prompt to save, where I can then quarrantine it. I sent it to Symantec. Nasty stuff.

[Bullines]

http://securityresponse.symantec.com/[email protected]

[Tony]

I just switched to DSL at home last week AND to outlook "They interface so well together"(installers sales pitch)

well I was wondering what those strange emails were...I opened them all!

Never opened there attatchments , but I guess that doesn't matter.My wife just called frantic

"Are computer is doing strange things"!!

"Ah, just shut it off....I'll fix it later...

Oh, and un plug the cable from the back too, just in case"!

[JAMMAN]

Bullines, I read that artical also, and they missed something I noticed. Kernel32.exe and kdll.dll were being "used by windoze" and couldn't be deleted. So I searched for registry entries referring to these files and deleted the entries. Upon shut down- it re-creates the reg. entrys! The mind of demons. SO........ in the win2k task manager in the processes tab I found Kernel32.exe running, ended the process, then was able to delete both infected files, killed the reg entries, reboot, no more virus. Seems like there should be a better way, but I do know the regestry references both infected files in several spots- not just the one mentioned in the article.

[Bullines]

The developer of the virus was smart in using the file name kernel32.exe. It can easily be confused with kernel32.dll, which is the heart of the OS, after all

The article mentioned that it added something to:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce

Did you happen to notice if it also added something to:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

That worm seems sneaky. Not revolutionary, but sneaky

[JAMMAN]

No, not that one. I guess I should have written down where it was. I found reference to kernel in 5 places and reference to kdll in 2 places. "run" and "run once" are places that lots of software vendors put their references so john q public scratches his head after looking in his startup folder and not finding the 17 or 18 things in his system tray after starting his new compaq or dell.

[Bullines]

"runonce" also comes in handy for developers in registering non-standard ActiveX controls in applications; "runonce" saves the day sometimes

[Allan]

I've seen that run once thing kill an OS one time it was some DNC software that shall remain nameless. When done installing it wanted to reboot (O.K. I thought) the only thing I could get after that was an explorer crash opon boot

[ 11-29-2001: Message edited by: Allan ]

[Guest CNC Apps Guy 1]

quote:

---

...it was some DNC software that shall remain nameless.

---

Does it rhyme with "Predator"? Sorry Jay, it was just too tempting to pass up.