Date: Nov 29, 2001 05:45 PST From: "Songs of Praise" Subject: Songs of Praise - virus alert Dear List Members, I really hate to do this, but I have received several dozen virus emails from members of this list in the last 24 hours. There is a new virus spreading rapidly called "W32/BadTrans.b@MM". If you are using Microsoft Outlook (not Outlook Express), you can get infected by just viewing the email. YOU DON'T HAVE TO CLICK ON AN ATTACHMENT. This is different from other viruses we have seen in the past. My computer is NOT infected (I use Netscape mail and am running Norton Antivirus), but I wanted to warn everyone so you can avoid this problem. Peace in Christ, Elton Smith http://songsofpraise.org Please see the detailed explanation below (written by another person)... ====================================================== I think it would benefit all of you to take the time to read this explanation, as it will explain further, and in more detail, how this nasty virus works. It is called "W32/BadTrans.b@MM". It is quite different from the original "W32/BadTrans@MM" virus. First, here's how it works. When a user becomes infected, the next time he/she reboots the computer, the virus goes through the user's email program and looks for unread emails in all the mailboxes. It picks some of these, makes a reply to them, and sends itself. Here's the kicker. It uses the infected persons email address as the sender, BUT it adds "_" (underscore) before the real address. The subject line will probably have nothing but "RE:" (nothing else). The body of the email will be completely blank. There are no attachments, so there is nothing to click. The virus is embedded in the body, with cute code to hide it; the recipient never sees anything but a totally blank message. (I just discovered a problem when searching for FROM: addresses that start with <_. There is a problem with people who have their email program set to show both their name and email address in the FROM: header. If such a person is infected, mail from him/her will show, in the header, something like the following: "John Doe" <_joh-@wherever.com>; The FROM: element in the header you see before you open the email will show only "John Doe". That's a problem. Either set up a filter to divert infected emails to a separate mailbox, or make sure your system is COMPLETELY protected before you open or preview any more emails.) In addition, the virus tries to dig through the infected person's computer and send email addresses, credit card numbers, bank account numbers, passwords, etc., back to the writer of the virus. Anyone using OUTLOOK (not Outlook Express) will infect his/her computer if he/she merely OPENS (reads) or PREVIEWS the email. The email has no attachment to click to activate it; it is activated by opening it, by the hidden HTML code in the email. Again, the virus makes use of the ms01-027 exploit, which means that the virus can execute on READING or PREVIEWING the email from within OutLook - it is not necessary to double click on any attachment, since the email contains no TEXT or ATTACHMENT. The virus is EMBEDDED in the body, but formatted NOT to appear, thus you get a completely blank message if you WERE to open it, which would mean you are already infected when you open the email, IF you haven't done all the following: 1) Installed an Anti-Virus (AV) program; 2) Kept it updated with the latest data files; 3) Have your AV program configured properly to detect email viruses; 4) Downloaded and installed the MS patches for MSIE 5.01 and 5.5. The patch to fix this exploit has been available from Microsoft since May 16, 2001 !!!!!!!!!! Where to read the Microsoft Bulletin MS01-027, dated May 16, 2001, and links for downloading the patch for MSIE 5.01 and 5.5: Where to read about the W32/BadTrans.b@MM Virus: Evidently, MSIE 6.0 is not affected, since all the patches for 5.01 and 5.5 were incorporated into it. But, to be sure, make sure you go to the Windows Update page and check to see which patches your system needs. I have seen emails on some of the Lists to which I subscribe, where obstinate users absolutely refuse to install an Anti-Virus (AV) program. They claim they are intelligent and experienced enough to never become infected. NOT SO !!!!! This latest atrocity is being spread by some of these "superior" users. What users without AV programs don't understand is that they are doing all the rest of us hundreds of million users a great disservice. I'm tired of downloading dozens of messages every day containing this virus (and others). Someone else will have to provide the information for Norton and other AV programs, but here is what I know about McAfee: You must have version 4.x or later installed; You must be using the 4.0.70 or later engine; You must be using the 4172 or later data file; You must correctly configure McAfee to catch viruses in emails and downloaded files. Furthermore, IF you are using Outlook (not Outlook Express): You MUST not open suspicious emails, or preview them; You must look at the From: header; if it has an address similar to this, <_som-@somewhere.com>;, DON'T open it; all the addresses of the infected persons will be real, except they will have the _ (underscore) in from of them. If you open or preview an infected message in Outlook, it's too late! You're already infected! One further thing. If you DO use an AV program, it is imperative that you check for updates often -- at least daily, and, with these souped-up virus versions starting to come out, 2-3 times a day wouldn't hurt. ****Addition for OE and Eudora users: Set up a filter that looks for <_in any header; set it to transfer all such emails to a special folder (such as Infected-Email); make sure you also select "Skip Rest" in the second Action box; then move this filter to the very top of your filters. ======================================================