Recurring Badtrans.B@mm virus
Dave or Stacey
yesterday as spam, but I was told it was the , I was told it was the
W32.Badtrans.B@mm E-mail worm. I use WindowsME and the newest Outlook
Express. I'm currently with the Cox@Home service. Here's the deal.
I've been receiving random messages in my Inbox, all containing an
attachment to a double-extension file in my Windows/Temporary Internet Files
folder. The sender is variable, and the subject is variable, but the subject
usually says "Re:" (blank). When I view the new message, Windows prompts me
to open or save it. Here's an example:
C:\WIN\Temporary Internet Files\Content.IE5\CVX038A5\Me_nude.MP3.scr
(Sender: "Buffet Flowes's Garden", Subject: "Re:").
Even more odd, after I changed my E-mail address, I was STILL receiving
these strange messages. I cleared out my Temporary Internet Files folder,
but this didn't fix the problem. I was also given some tips and an URL I
should visit to get rid of this crapmonkey. The URL led me to Symantec's
BadTrans removal tool.
I have Windows ME, and I disabled System Restore as instructed to. I
restarted the computer, ran the Removal Tool, and it said it found one viral
infection and deleted one file. This felt great! Finally, Badtrans was
gone...so I thought. This morning, I got another one of those pesky blank
Subject "Re:" E-mails. This one contained the attachment FUN.M.PIF. What the
HELL!?
Why hasn't this thing gone away? I told my roommate about this and she
recommended I disconnect the cable modem and run the removal tool again for
this new instance. But I'm lost. I thought the virus was gone.
I gathered more clues. Tech support on my service provider told me that
although I deleted the virus last night, it could've been transmitted from
someone who's E-mailed me in the past. Great. So this could be PERMANENT. So
help me God, if it is, I'm giving up my Internet and E-mail I don't want to
spend a lifetime fixing this crap!
Perhaps I was a bit sarcastic with that remark - but more paranoid. The
E-mail worm is back. I don't know what to do now. NOW what? Okay...so should
I configure Outlook express so that it doesn't automatically open new
E-mails? Should I delete my Address book, provided that might be involved?
How do I go forth with removing this E-mail worm?
- Dave
Man in the Mist
"Dave or Stacey" <i...@here.net> schreef in bericht
news:MVB28.5581$vT4.6...@news1.east.cox.net...
First of all you should not open an email with in the subject line just
're:' because that refers to the BadTrans worm. Did you install the patch
from Microsoft wich is on the info page of Symantec? If not, check out the
next link, and all the info you need can be found there:
http://www.symantec.com/avcenter/venc/data/w32.bad...@mm.html
The fact that the worm appears every time in your mailbox has nothing to do
with you, but only with other people who's system is infected by this worm.
They are the ones that are infected and the worm spreads by using their
system. You are probably in the adress book or cache memory of those
people's computer. You can try to send an email to them. Do not send a
reply, but use a new message. Tell them that their system is infected by the
BadTrans worm, and tell them to scan their computer online at for example
Trend Micro's http://housecall.antivirus.com/
You can also mention the page of Symantec that told you earlier. Mind that
if you look for the senders adress in the headers that it can be slightly
modified.
Greetzz.
Man in the Mist
Sorry, I forgot to menttion this: You wrote in your post that the virus is
in de temporary internet files. Delete those end the virus is gone. If you
have opened the mail then there is a possibility that you system is
infected.
Greeetzz.
Lou van Wijhe
news:MVB28.5581$vT4.6...@news1.east.cox.net...
Dave,
I hope your problem is solved in the meantime. If not, then the following
might help you:
I received the Badtrans-virus several times over the last few weeks. In the
beginning it was immediately removed by my virus scanner (Norton Antivirus
5). However, last week, after having installed Norton Antivirus 2002, I
received it once more and it either was a modified version or NAV 2002
handled it differently from NAV 5.
The e-mail contained the virus program as an attachment. The attachment was
immediately quarantined by NAV. I deleted it from quarantine and ran the
Badtrans removal tool. However, after restarting Outlook Express I received
the same e-mail again (every time I restarted Outlook Express) as if it had
reset itself to be downloaded as a new e-mail.
After further studying the Symantec documentation I learned that the e-mail
not only had the virus program as an attachment but also contained a script
causing it to be downloaded time and again. According to the instructions I
set Outlook Express to not display the preview pane, right clicked the
offending e-mail and deleted it, right clicked the Deleted Items folder and
emptied it, closed Outlook and ran a complete system scan once more.
Thereafter it was gone. DO KEEP YOUR PREVIEW PANE CLOSED ALL THE TIME, it
does activate some viruses without your opening them.
Hope this helps.
--
Lou van Wijhe
jl.va...@hccnet.nl
(Om me te mailen: Plaats een punt tussen "van" en "wijhe")
(For mailing me: Put a dot between "van" and "wijhe")
Gordon McLean, Jr.
Lou van Wijhe wrote in message ...
...snip...
>Dave,
>
>I hope your problem is solved in the meantime. If not, then the following
>might help you:
>After further studying the Symantec documentation I learned that the e-mail
>not only had the virus program as an attachment but also contained a script
>causing it to be downloaded time and again. According to the instructions I
>set Outlook Express to not display the preview pane, right clicked the
>offending e-mail and deleted it, right clicked the Deleted Items folder and
>emptied it, closed Outlook and ran a complete system scan once more.
>Thereafter it was gone. DO KEEP YOUR PREVIEW PANE CLOSED ALL THE TIME, it
>does activate some viruses without your opening them.
Too draconian, for those of us who find the preview pane indespensible.
(1) Configure Outlook Express so that it runs in the "Restricted sites"
security zone. (Tools | Options..., Security tab.) While there, click on
Settings..., and make sure that in this security zone, everything is set to
Prompt or Disable, by using Custom Settings. This will keep scripts and
other active content from running automatically in HTML emails.
(2) Make sure you download/install all Internet Explorer/Outlook Express
security patches, which can be obtained from the Windows Update site. Note:
Only IE/OE 5.5 SP2 is still supported with hot fixes. So get to IE/OE 5.5
SP2 first, then install any remaining critical updates related to security.
(3) Keep your antivirus software and virus definitions up to date