IAS Aroid Quasi Forum

About Aroid-L
 This is a continuously updated archive of the Aroid-L mailing list in a forum format - not an actual Forum. If you want to post, you will still need to register for the Aroid-L mailing list and send your postings by e-mail for moderation in the normal way.

  mpeg files/attachments
From: "Julius Boos" ju-bo at email.msn.com> on 2001.11.27 at 13:01:18(7852)
Dear Friends,

In the last two days I have been receiving seemingly blank letters BUT with
an attached mpeg file off this list AND the other bulbous aroid list. My
comp. can and will not open these files. I have written to two of the
'senders' asking what is in the files but neither has responded as yet. I
SUSPECT it may be some sort of 'spam' from their web provider, but my
concern is that it may be a 'worm' or virus. Any ideas from anyone on
this??

Julius

From: Steve Marak samarak at arachne.uark.edu> on 2001.11.27 at 15:33:08(7853)
On Tue, 27 Nov 2001, Julius Boos wrote:

> In the last two days I have been receiving seemingly blank letters BUT with
> an attached mpeg file off this list AND the other bulbous aroid list. My
..
> concern is that it may be a 'worm' or virus. Any ideas from anyone on

Aroiders,

This topic is eating up lots of bandwidth on many lists right now, so I
thought I'd post Julius' message and respond immediately to it.

Yes, this is a virus. Don't open any of the attachments - they aren't what
they claim to be. I got several copies of it yesterday, from various
sources. I don't allow my systems to be infected, and I no longer deal
with vira professionally, so I followed my usual practice of saving a
specimen in my virus zoo, deleting the offending e-mail, and ignoring the
whole thing. But it seems prudent to let a warning out and see if we can
maximize information in a minimal number of posts - many of you will
already be tired of hearing about this.

The current virus du jour, W95/Badtrans.B@MM, alias W32/Badtrans@MM,
probably alias several other things, is spreading widely. It spreads as an
attachment in e-mail that appears to be an audio or image file, but of
course isn't. It's Windows based, and exploits a known (patch available)
flaw in older versions of Outlook and Outlook Express, or of course you
can be infected if you purposely open the attachment.

If you are infected, it will prowl through your address book sending
itself to others using a variety of names and subject lines ... some of
them real subject lines taken from messages in your e-mail folders. It
also drops a keystroke logger into your system.

It is a new variant of another virus, so you will need to check with your
antivirus vendor and make sure you have the correct pattern file(s). It
can be deleted manually but is a bit of a pain especially if you aren't
comfortable with Microsoft arcana like regedit.

For full details, go to your favorite antivirus website and look for
"Badtrans". Here are a couple of direct links:

http://www.f-prot.com/f-prot/virusinfo/badtrb.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_kô069&

Despite the fact that I don't run any antivirus software myself, I
recommend to everyone that they should. Pick any of the top echelon
products with which you are comfortable, and which don't conflict with
other software on your system.

However, making sure you have the latest security patches on your e-mail
program and a healthy paranoia toward unexpected or unusual e-mail
attachments will do more to keep you from being a virus du jour victim
than all the virus scanners there are. They can only detect what they know
how to recognize - even if you are very good at playing the
update-the-pattern-file game, a really new virus or major modification of
an old one will probably go right past your antivirus software. Do run
some antivirus software, just don't neglect the software updates and
paranoia.

There are several versions of Microsoft Outlook and Outlook Express, so I
won't try to give pointers to the updates for all of them.

I see several posts have arrived while I was keying this. If they are
related to this virus, and contain only basically information I've already
included here, I won't post them (unless everybody just wants to see
them).

Wishing everyone a virus free day,

Steve

+More
From: SelbyHort at aol.com on 2001.11.28 at 20:36:01(7854)
In response to Steve Marak's message about the BadTrans virus:

I did get a message today that looked like it might have been this virus. Of
course, I did not open the attachment. I did not even read the message since
the email address had an underscore for the first character. I just deleted
the thing as soon as it popped into my box. I did get the following
information from the moderator of another list I subscribe to. He posted the
details below:

+More
From: Steve Marak samarak at arachne.uark.edu> on 2001.11.28 at 22:37:00(7855)
On Wed, 28 Nov 2001 SelbyHort@aol.com wrote:

> In response to Steve Marak's message about the BadTrans virus:
..
> Would our listserve not even recognize any address with an underscore as
> being a subscriber? Is so, the message would not be processed and distributed
> to the list. Is this correct, Steve?

The short answer is you are correct, at least in this instance. That
glosses over a lot, so read on only if you care for more detail.

Aroid-L is a "closed" list - you have to belong to post - so messages
from any address not in the list of subscibers will be rejected, whether
the address is valid or not.

This virus is altering real e-mail addresses into ones that are (probably)
not real, and certainly aren't in our subscriber list, so it won't have
much luck posting to Aroid-L even if Don and I failed to shoot it down.

As to whether these addresses (with the leading underscore) are invalid
.. well, that's a whole other can of worms. Strangely, last year at this
time I was trying to mediate between pro- and anti- Microsoft factions on
almost exactly this issue. If someone did manage to subscribe an address
like this to the list, it would certainly accept anything they posted.
(Don or I would probably zap it, though. For that matter, we'd probably
zap the address as soon as we noticed it, too.)

We don't know of any way to strip attachments from Aroid-L, leaving the
text - if we did, we'd block all those HTML attachments that show up. We
must either accept or reject the whole message. And the list processor
will forward any type of attachment, whether it recognizes it or not.

However, we don't let any kind of attachments other than those HTML
duplicate messages go out on Aroid-L (really, we only allow those because
it's so hard to turn off that feature in some mailers that a lot of people
wouldn't be able to post). One reason is just this - it drastically
reduces the chance we'll contribute to the spread of a virus through
Aroid-L, and doesn't put Don and I in the error-prone position of trying
to separate the sheep from the goats. We have seen virused attachments
show up in posts to Aroid-L, from legitimate subscribers, and had we
not killed the posts the virus would have been forwarded to everyone.

Another is that most attachments (again, other than the HTML duplicate
messages) show up in "encoded" form, meaning they take up more room than
plain text, and many - audio, video, and image for instance - tend to be
way larger than even a very long note. For people who do not have mailers
that automatically handle these attachments or don't have high-speed
internet access (and there are more of them than most people realize), it
can multiply their connect time, and maybe cost, to download mail several
times. It can also overflow people's mail storage quickly, especially if
they can't check mail every day - we see lots of bounce messages from
that. (Posting images on a web site is a more efficient option anyway,
from the network perspective.)

Several other lists I'm on have turned on features that strip out
attachments since this last virus scare started. A good idea - except for
the poor image list moderators, who just have to take their lumps - but in
this case all the copies of the virus I got came not from lists but
directly from individuals, referencing a note I had sent to some list to
which they were subscribed.

Steve

+More
Note: this is a very old post, so no reply function is available.