help with Microsoft Outlook
Frank McAree
messages -on various accounts- over the past few days. They all have a
random person's name as the sender , Re: as the
subject and an attachment
I run a very old version of outlook express which crashes when trying to
view the content ( not the attachment) so I think that something quite
sophisticated could be going on i.e. the content carries the virus or at
least the loader.
BTW Norton's didn't raise a peep
FM
Liz Carnell wrote in message <9u0nse$45l$1...@plutonium.btinternet.com>...
>Hello,
>Can someone please advise me on this?
>
>Yesterday I accessed a UK search engine I hadn't used before and Norton
>flashed up a warning saying it might have a virus. It was unable to
>quarantine, fix or delete it.
>
>I seem to have cleared it by emptying all my temporary internet and history
>files.
>
>However, since then, I've been getting a problem with Outlook. I've had a
>number of emails which were blank and a message saying Outlook blocked
>access to potentially unsafe attachments. However, Norton hasn't issued any
>warning over these and I've run a full scan on my system a few minutes ago
>which says I don't have any viruses.
>
>Even more puzzling, when I try to reply to these people to ask them to send
>the email again without attachments, I get a reply saying the senders are
>unknown. They all come from different ISPs which makes me think I do have a
>problem on my machine but not all emails are affected, only some of them.
>Interestingly, I get the same message on Outlook on my laptop which has not
>had the virus problem.
>
>Does anyone have any ideas how I can fix this? I don't want to have to do
>anything drastic like reformat.
>Thanks very much,
>Liz Carnell
>Bullying Online
>www.bullying.co.uk
>he...@bullying.co.uk
>
>
>
Datum Software
"Frank McAree" <fk...@dial.pipex.com> wrote in message
news:3c03fe07$0$8510$cc9e...@news.dial.pipex.com...
> There does seem to be a current widespread virus attack. I've had about 30
> messages -on various accounts- over the past few days. They all have a
> random person's name as the sender , Re: as the
> subject and an attachment
>
> I run a very old version of outlook express which crashes when trying to
> view the content ( not the attachment) so I think that something quite
> sophisticated could be going on i.e. the content carries the virus or at
> least the loader.
>
> BTW Norton's didn't raise a peep
How often does your AV software get upgraded with virus info? My NAV not
only updated before I started looking through my email but also correctly
identified and quarantined the infected files.
Kevin.
Steve Rochford
> a number of emails which were blank and a message saying Outlook blocked
> access to potentially unsafe attachments.
If you have the security patches for Outlook installed it will remove
potentially hazardous attachments before they're brought into your
machine; this means that Norton doesn't get a chance to see them and hence
doesn't warn you about a problem (because there isn't one; Outlook has
done its job and protected you).
> Even more puzzling, when I try to reply to these people to ask them to
> send the email again without attachments, I get a reply saying the
> senders are unknown.
Almost certainly a virus on someone else's machine trying to infect your
machine.
Make sure that your virus scanner is up to date (not familiar with Norton
but there should be a "live update" option to get it up to date) and then
re-scan.
If this detects no problems then just ignore the emails.
In general, if you receive an email from some one you don't know which has
an attachment then you should delete the attachment without attempting to
open it. If you don't know how to do this or can't do this then just
delete the message completely without reading it; if it's important then
the person is likely to send it again. (I once worked with a teacher who
spent one week throwing the contents of his pigeon hole straight in the
bin; he reckoned that anything important would be re-sent if he didn't
respond but as most of it was from the SMT it could be safely ignored!)
I appreciate that your job might mean that the majority of email you get
is from people you don't know (and people who may be too upset etc to
resend the message)
--
Steve Rochford
Computer Support, The College of North West London
Guy Barnes
the following.
regards
W32.Badtrans.B@mm email virus. This virus is a worm virus that attaches to
emails.
See article from Symantec site below.
Regards
W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 07:01:20 AM PST
Printer-friendly version Tell a Friend
Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
11/26/01.
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several
different file names. This worm also creates a DLL in \Windows\System
directory as Kdll.dll. It uses functions from this DLL to log keystrokes.
Type: Worm
Infection Length: 29,020 bytes
Virus Definitions: November 24, 2001
Threat Assessment:
Wild:
High Damage:
Low Distribution:
High
Wild:
Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.
Distribution:
Name of attachment: randomly chosen from preset list
Size of attachment: 29,020 bytes
Technical description:
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions.
It contains a set of bits that control its behaviour.
001 log every window text
002 encrypt keylog
004 send log file to one of its addresses
008 send cached passwords
010 shut down at specified time
020 use copyname as registry name (else kernel32)
040 use kernel32.exe as copyname
080 use current filename as copypath (skips 100 check)
100 copy to %system% (else copy to %windows%)
When it is first executed, it will copy itself to %system% or %windows% as
kernel32.exe, based on the control bits. Then it registers itself as a
service process (Windows 9x/Me only). It will create the key log file called
%system%\cp_25389.nls and drop %system%\kdll.dll which contains the key
logging code. A timer is used to examine the current window once per second,
to check for a window title containing any of these texts as the first three
characters:
LOG
PAS
REM
CON
TER
NET
These texts form the start of the words LOGon, PASsword, REMote, CONnection,
TERminal, NETwork. There are also Cyrillic versions of these same words in
the list. If any of these words are found, then the key logging is enabled
for 60 seconds. Every 30 seconds, the log file and the cached passwords are
sent to one of these addresses:
ZVDO...@yahoo.com
udtz...@yahoo.com
DTCE...@yahoo.com
I1MC...@yahoo.com
WPAD...@yahoo.com
fj...@rambler.ru
s...@eurosport.com
bg...@canada.com
muw...@fairesuivre.com
rmx...@latemodels.com
ecc...@ballsy.net
suck_m...@ijustgotfired.com
suck_my...@ukr.net
thisisno_f...@usa.com
S_Me...@mail-x-change.com
YJPF...@excite.com
JGQ...@excite.com
XH...@excite.com
OZUN...@excite.com
tsn...@excite.com
cxk...@krovatka.net
ss...@myrealbox.com
After 20 seconds, the worm will shut down if the appropriate control bit is
set.
If RAS support is present on the machine, then the worm will wait for an
active RAS connection. When one is made, with 33% chance, the worm will
search for email addresses in *.ht* and *.asp in %Personal% and Internet
Explorer %Cache%. If it finds addresses in these files, then it will send
mail to those addresses and the attachment name will be one of:
Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun
In all cases, MAPI will also be used to find unread mail to which the worm
will reply and the subject will be "Re:". In that case, the attachment name
will be one of:
PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN
In all cases, the worm will append two extensions. The first will be one of
the following:
.doc
.mp3
.zip
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look similar to CARD.Doc.pif or
NEWS_DOC.mp3.scr.
If SMTP information can be found on the current computer, then it will be
used for the From: field. Otherwise, the From: field will be one of:
"Mary L. Adams" <ma...@c-com.net>
"Monika Prado" <mon...@telia.com>
"Support" <sup...@cyberramp.net>
" Admin" <ad...@gte.net>
" Administrator" <admini...@border.net>
"JESSICA BENAVIDES" <jes...@aol.com>
"Joanna" <joa...@mail.utexas.edu>
"Mon S" <spide...@hotmail.com>
"Linda" <lgo...@hotmail.com>
" Andy" <an...@hweb-media.com>
"Kelly Andersen" <Grav...@aol.com>
"Tina" <tina...@yahoo.com>
"Rita Tulliani" <powe...@videotron.ca>
"JUDY" <JUJU...@AOL.COM>
" Anna" <ai...@home.com>
Email messages use the malformed MIME exploit
(http://www.microsoft.com/technet/security/bulletin/MS01-020.asp) to allow
the attachment to execute in Outlook without prompt. The worm writes email
addresses to %system%\protocol.dll to prevent multiple mails to same person.
After sending mail, the worm adds the value
Kernel32 kernel32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This will run the worm the next time that you start Windows.
Removal instructions:
To remove this worm, see the instructions for your operating system below.
Windows 9X
restart Windows in Safe Mode and use NAV to detect and delete all files that
are detected as W32.Badtrans.B@mm. Then remove the value that it added to
the registry.
Windows NT/2000
rename the file kernel32.exe, remove the value added to the registry,
reboot, and then delete the files that are detected as W32.Badtrans.B@mm.
To remove the Worm:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490,
select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
4. In the right pane, delete the following value:
Kernel32 kernel32.exe
5. Click Registry, and then click Exit.
Additional information:
Prevention
Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.303 / Virus Database: 164 - Release Date: 11/24/01
"Liz Carnell" <l...@bullying.co.uk> wrote in message
news:9u0nse$45l$1...@plutonium.btinternet.com...
> Hello,
> Can someone please advise me on this?
>
> Yesterday I accessed a UK search engine I hadn't used before and Norton
> flashed up a warning saying it might have a virus. It was unable to
> quarantine, fix or delete it.
>
> I seem to have cleared it by emptying all my temporary internet and
history
> files.
>
> However, since then, I've been getting a problem with Outlook. I've had a
> number of emails which were blank and a message saying Outlook blocked
> access to potentially unsafe attachments. However, Norton hasn't issued
any
> warning over these and I've run a full scan on my system a few minutes ago
> which says I don't have any viruses.
>
> Even more puzzling, when I try to reply to these people to ask them to
send
> the email again without attachments, I get a reply saying the senders are
Di Hillage
> There does seem to be a current widespread virus attack. I've had about 30
> messages -on various accounts- over the past few days. They all have a
> random person's name as the sender , Re: as the
> subject and an attachment
This is the BADTRANS virus which is currently rampaging through the systems
of those using Outlook for their email under Windows.
More smiles for the RISCOS and Linux users !!!!
Datum Software
"Di Hillage" <dhil...@argonet.co.uk> wrote in message
news:na.60adea4ae0....@argonet.co.uk...
Why? Do you think Linux is error free?
See http://www.eweek.com/article/0,3658,s%253D701%2526a%253D18376,00.asp or
http://www.cert.org/
Kevin.
`p
"Datum Software" <ke...@datumsoftware.co.uk> wrote in message
news:9u3ois$9av$1...@news.chatlink.com...
LOL
The article is about UNIX not Linux. Whilst there are many similarities
between the two: some file structure similarities, behaviour, commands
etc etc, Liinux is a grandchild of Unix and I think you have mixed up
CDE with KDE. Not quite the same. No, not quite.
And I think this line from the article just might have a teensy bit of
relevance:
"This is just what we were talking about last week," Ingevaldson
said, referring to discussions at the Microsoft Corp. Trusted Computing
forum on vulnerability reporting."
And errors in Linux aren't hidden nor are they "undocumented features";
there is considerable kudos attached to finding bugs, to enable them to
be fixed; oh, and everything does get documented - whilst not always
straight away - the Linux communtiy is a open one, it believes in
sharing good news as well as bad.
HTH
--
`p
Datum Software
"`p" <smar...@blueyonder.co.uk> wrote in message
news:9u3r14$609h9$1...@ID-84214.news.dfncis.de...
Yes that did help. I dont pretend for a moment to keep up with the world of
Linux OSs in their many, many guises.
>I think you have mixed up CDE with KDE. Not quite the same. No, not quite.
Nope, I didnt write the article, just provided the link.
> And errors in Linux aren't hidden nor are they "undocumented features";
Cant argue with that especially after reading this...
http://news.cnet.com/news/0-1003-200-8007615.html?tag=lh
MS have patches available for known problems, just go onto the website and
search. The good thing is that it is software from a single company unlike
the multiple Linux vendors approach.
And finally if Linux is such as good OS why bother using MS products re:
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 - another genuine
question.
What does `p stand for or is it a "undocumented features"
Kevin.
`p
>
> "`p" <smar...@blueyonder.co.uk> wrote in message
> news:9u3r14$609h9$1...@ID-84214.news.dfncis.de...
> >
No, but you were quoting it as evidence against Linux; yes? And there
is only one Linux - it is the kernel, and the development of it is
something that is open to anyone; all you have to do is say what you
want to have a *bash* at trying (pardon the pun). There's always room
for someone new to take on a portion of the development projects. And
the release of new kernels is strictly controlled - though there is
absolutely nothing to stop you rewriting the thing if you wanted to,
provided you accept that you won't own it! What you're getting at is
the wide variety of *distributions* that use the Linux kernel(s) - not
the same thing, sorry. And you'll get more cohesion of effort from the
the hundred plus (and counting) distributors of Linux varieties than MS
show to the rest of the non MS world - or even from within the MS
product family itself at times.
> >I think you have mixed up CDE with KDE. Not quite the same. No, not
quite.
> Nope, I didnt write the article, just provided the link.
>
> > And errors in Linux aren't hidden nor are they "undocumented
features";
> Cant argue with that especially after reading this...
> http://news.cnet.com/news/0-1003-200-8007615.html?tag=lh
>
> MS have patches available for known problems, just go onto the website
and
> search. The good thing is that it is software from a single company
unlike
> the multiple Linux vendors approach.
Hmmn. I totally disagree with you on that point as I think that variety
tends to produce better products, and that the smaller a company is the
better the customer interface/response.
I've nothiug against MS, I like MS Office.
>
> And finally if Linux is such as good OS why bother using MS products
re:
> X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 - another
genuine
> question.
I have several machines, and like most people I'm lazy. :-) Work is a
Microsoft shop, so I have to do work at home using Microsoft too.
Shortly, I'll be putting VMWare on my SuSE box and laptop and then I'll
be able to use MS inside my Linux box - so I won't have to change
machines nor reboot (I triple boot on my main machine: Win98, Win2K and
SuSE 7.3).
Normally I just use SuSE: mail using KMail; KNode for my news, via
Leafnode (a news server of your own). When I get around to it I'll also
download StarOffice 6 (beta) and then I won't need MS running through
VMWare at all except for when I need Access. And I'm learning MySQL, so
Access, for home use, will be a memory in about 6 months time except for
my lesson prep.. I normally use Abiword as a WP, no un-necessary frills;
I like StarOffice for spreadsheets, graphics and anything else.
And besides, if Linux was no good and had no future, why are IBM
spending 5 Billion dollars over 5 years to assist in developing it.
>
> What does `p stand for or is it a "undocumented features"
Now, now, now. That's personal. The answer's on deja, somewhere. Like
I said, all the documentation is there, *you* just have to look for it.
:-)
Try it, you might like the flexibility, total control and customisation
of Linux and the plethora of free software that can do everything that
MS does at a much better price - bar a neat interface like Access to
(minor) RDBMS. And once you've got the hang of just a few of the free
network tools that are standard to Linux too, you'll never want to go
back, except for the need to maintain backwards compatibility. LOL.
--
`p
greebs
>However, since then, I've been getting a problem with Outlook. I've had a
>number of emails which were blank and a message saying Outlook blocked
>access to potentially unsafe attachments. However, Norton hasn't issued any
>warning over these and I've run a full scan on my system a few minutes ago
>which says I don't have any viruses.
>
>Even more puzzling, when I try to reply to these people to ask them to send
>the email again without attachments, I get a reply saying the senders are
>unknown. They all come from different ISPs which makes me think I do have a
>problem on my machine but not all emails are affected, only some of them.
>Interestingly, I get the same message on Outlook on my laptop which has not
>had the virus problem.
>
computers of some people who have you in their address books.
I have received a number of these over the last few days and I
recognise many of the names as people who have emailed me via
my websites in the past. It will not be a problem for you
(other than being a bl**dy nuisance) as long as you do not
open the attachments.
You probably find that replying to the emails will not work
because the virus adds the character "_" to the email address.
The attachments have various names which include README,
HAMSTER, SETUP, me_nude, Sorry_about_yesterday, Humor, etc.
The attachment names usually have two file extensions such as
.doc.scr or .MP3.pif
Just make sure that the software you use to read emails is not
set to open attachments automatically.
--
greebs
greebs
>In general, if you receive an email from some one you don't know which has
>an attachment then you should delete the attachment without attempting to
>open it. If you don't know how to do this or can't do this then just
>delete the message completely without reading it; if it's important then
>the person is likely to send it again. (I once worked with a teacher who
>spent one week throwing the contents of his pigeon hole straight in the
>bin; he reckoned that anything important would be re-sent if he didn't
>respond but as most of it was from the SMT it could be safely ignored!)
>
>I appreciate that your job might mean that the majority of email you get
>is from people you don't know (and people who may be too upset etc to
>resend the message)
The problem with this Badtrans virus, Steve, is that some of the
emails may well be from people you *do* know. I have received
about 30 this week and I recognise many of the names as people
who have emailed me in the past via my web sites. Most of them
have blank subject lines. (I don't use OE but I think it inserts
a "re:" in front of the blank!)
The best rule, as I am sure most readers of this group know, is
not to open any attachments unless you are expecting someone to
send you one. If in doubt, email the sender and ask them if they
have just sent you a file. In the case of this latest virus, the
attachments have double file extensions, the last part being .pif
or .scr which at least makes them easier to spot. The sender's
email address usually has "_" added making it harder to reply to
the sender.
--
greebs
Liz Carnell
"Guy Barnes" <g...@gbwatches.co.uk> wrote in message
news:9u3m81$876$1...@news.chatlink.com...
> Hello Liz, Download the latest virus definition update it appears you have
> the following.
>
> regards
>
> W32.Badtrans.B@mm email virus. This virus is a worm virus that attaches to
> emails.
>
> See article from Symantec site below.
>
> Regards
>
> W32.Badtrans.B@mm
> Discovered on: November 24, 2001
> Last Updated on: November 27, 2001 at 07:01:20 AM PST
>
>
> Printer-friendly version Tell a Friend
>
> Due to the increased rate of submissions, Symantec Security Response has
> upgraded the threat level of this worm from level 3 to level 4 as of
> 11/26/01.
>
> W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several
> different file names. This worm also creates a DLL in \Windows\System
> directory as Kdll.dll. It uses functions from this DLL to log keystrokes.
>
>
Liz
ste
this virus, if anybody has been unlucky enough to get this.
I got it about a week ago, unwittingly it infected my system, i must have
been half asleep with my a/v software switched off! ;-) I was rushing
frantically through the registry trying to eradicate it, worked in the end
though.
I should really make use of my SuSE partition! ;-)
--
Regards,
Stephen Lears
ma...@slears.co.uk
www.slears.co.uk
"Whenever you find yourself on the side of the majority, it's time to pause
and reflect"
"Di Hillage" <dhil...@argonet.co.uk> wrote in message
news:na.60adea4ae0....@argonet.co.uk...
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.303 / Virus Database: 164 - Release Date: 24/11/2001
ste
users. In fact, the linux community is keen to update its fellow tuxers on
its flaws. That is probably one of the reason's that this o/s is so popular!
Linux is supposed to be virus proof, but i am convinced that there are a
couple lying around out there somewhere!
--
Regards,
Stephen Lears
ma...@slears.co.uk
www.slears.co.uk
"Whenever you find yourself on the side of the majority, it's time to pause
and reflect"
"Datum Software" <ke...@datumsoftware.co.uk> wrote in message
news:9u3ois$9av$1...@news.chatlink.com...
ste
> MS have patches available for known problems, just go onto the website and
> search. The good thing is that it is software from a single company unlike
> the multiple Linux vendors approach.
And that is a good thing? 1 Single company who are not too keen to let there
tips of the trade slip very easily. I would have thought that the more
people producing similar software would be an advantage? Guess not huh ;-)
> And finally if Linux is such as good OS why bother using MS products re:
> X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 - another genuine
> question.
Maybe a dual boot system? Maybe it wasnt his PC he was posting from?
--
Regards,
Stephen Lears
ma...@slears.co.uk
www.slears.co.uk
"Whenever you find yourself on the side of the majority, it's time to pause
and reflect"
`p
"ste" <ma...@slears.co.uk> wrote in message
news:9up53f$fim$1...@news7.svr.pol.co.uk...
> > And finally if Linux is such as good OS why bother using MS products
re:
> > X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 - another
genuine
> > question.
>
> Maybe a dual boot system? Maybe it wasnt his PC he was posting from?
Pah!
Dual booting! I gave that up years ago. That's tooooooo easy. ;-)