This information can be freely reproduced in any medium, as long as the information is unmodified.
Note: There is no threat to Macintosh users (assuming that they are not running a PC simulator) from the BadTrans family, although they can expect to see a lot of copies of infected email in their inboxes.
Note: Users of VirusScan v.4.5.1 as distributed at U-M have been protected from W32/BadTrans.B@MM since the 4167 drivers (released on 25 October, 2001). Assuming that you are using this software, it would have updated itself automatically when you connect to the Internet so, like Mac users, it will be a plague in your mailbox, but not a real threat.
The W32/BadTrans virus family was discovered on 11 April, 2001, but a new variant, dubbed W32/BadTrans.B@MM, was discovered 24 November, 2001 and has spread rapidly "In The Wild." The cause for this outbreak can probably be attributed to several issues:
Whatever the reason for its spread, it has become a significant annoyance in a short time. Some antivirus products, using heuristic techniques, were able to detect the new variant immediately; others needed to be updated. In any event, major antivirus products were able to detect, prevent and sometimes repair infected files within hours of the discovery of the new strain.
While the best way to recognize a virus is to use an antivirus scanner -- "identification by symptom" is folly when there are over 59,000 different nasties out there -- here are a few tips that may help to recognize email that is infected with W32/BadTrans.B@MM:
Hence if you try to reply to the apparent sender, usually the email will bounce (because the address starting with the underscore is not a valid address).
The virus apparently can forge the address from which it sends itself, but I have not yet seen an example of this behavior. It's just a WAG on my part, but I suspect it forges only when it cannot find a valid email address from which to send.
Sometimes, however, the virus has a different subject -- that will be the text of the subject you send to the victim, prefaced by Re:.
If the virus manages to get control, it will harvest email addresses from one's incoming email, and also collect addresses from cached web pages. Hence like other recent viruses, W32/BadTrans.B@MM is able to send to addresses of "people you don't know."
The virus then sends itself to these addresses, hoping that (a) recipients will open the attachment or that (b) recipients will have vulnerable email programs that will launch the virus automatically -- in particular, via the IFRAME vulnerability; see Microsoft's IFRAME Vulnerability page (leaving our site) if you use Microsoft products to read your email.
The virus keeps a record of addresses to which it has sent itself, so that it does not send more than once. If you have been infected, you may want to check this file before disinfecting, so that you will know whom to notify that you have send a virus to them.
The virus, in addition to spreading, does some nasty things (like capture your keystrokes, which can contain passwords, etc.), and then emails that information to someone, so you want to protect yourself from it -- and get rid of it immediately, should you be so unlucky as to contract it.
For more information about this virus, see e.g., NAI's (leaving our site) or F-Secure's (leaving our site) writeup on W32/BadTrans.B@MM
Please do not forward warnings about this exploit-- or any other warning or hoax -- to all your friends.
Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- pointing the originators to web resources such as ours. For this particular virus I suggest that you provide a pointer to this URL http://www.umich.edu/~virus-busters/badtransb.html.
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).
-BPB
visits to this page since 28 November 2001 11:31 EST