mpeg files/attachments

From: "Julius Boos" ju-bo at email.msn.com> on 2001.11.27 at 21:01:18(7852) Dear Friends, In the last two days I have been receiving seemingly blank letters BUT with an attached mpeg file off this list AND the other bulbous aroid list. My comp. can and will not open these files. I have written to two of the 'senders' asking what is in the files but neither has responded as yet. I SUSPECT it may be some sort of 'spam' from their web provider, but my concern is that it may be a 'worm' or virus. Any ideas from anyone on this?? Julius

From: Steve Marak samarak at arachne.uark.edu> on 2001.11.27 at 23:33:08(7853) On Tue, 27 Nov 2001, Julius Boos wrote: > In the last two days I have been receiving seemingly blank letters BUT with > an attached mpeg file off this list AND the other bulbous aroid list. My .. > concern is that it may be a 'worm' or virus. Any ideas from anyone on Aroiders, This topic is eating up lots of bandwidth on many lists right now, so I thought I'd post Julius' message and respond immediately to it. Yes, this is a virus. Don't open any of the attachments - they aren't what they claim to be. I got several copies of it yesterday, from various sources. I don't allow my systems to be infected, and I no longer deal with vira professionally, so I followed my usual practice of saving a specimen in my virus zoo, deleting the offending e-mail, and ignoring the whole thing. But it seems prudent to let a warning out and see if we can maximize information in a minimal number of posts - many of you will already be tired of hearing about this. The current virus du jour, W95/Badtrans.B@MM, alias W32/Badtrans@MM, probably alias several other things, is spreading widely. It spreads as an attachment in e-mail that appears to be an audio or image file, but of course isn't. It's Windows based, and exploits a known (patch available) flaw in older versions of Outlook and Outlook Express, or of course you can be infected if you purposely open the attachment. If you are infected, it will prowl through your address book sending itself to others using a variety of names and subject lines ... some of them real subject lines taken from messages in your e-mail folders. It also drops a keystroke logger into your system. It is a new variant of another virus, so you will need to check with your antivirus vendor and make sure you have the correct pattern file(s). It can be deleted manually but is a bit of a pain especially if you aren't comfortable with Microsoft arcana like regedit. For full details, go to your favorite antivirus website and look for "Badtrans". Here are a couple of direct links: http://www.f-prot.com/f-prot/virusinfo/badtrb.html http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k™069& Despite the fact that I don't run any antivirus software myself, I recommend to everyone that they should. Pick any of the top echelon products with which you are comfortable, and which don't conflict with other software on your system. However, making sure you have the latest security patches on your e-mail program and a healthy paranoia toward unexpected or unusual e-mail attachments will do more to keep you from being a virus du jour victim than all the virus scanners there are. They can only detect what they know how to recognize - even if you are very good at playing the update-the-pattern-file game, a really new virus or major modification of an old one will probably go right past your antivirus software. Do run some antivirus software, just don't neglect the software updates and paranoia. There are several versions of Microsoft Outlook and Outlook Express, so I won't try to give pointers to the updates for all of them. I see several posts have arrived while I was keying this. If they are related to this virus, and contain only basically information I've already included here, I won't post them (unless everybody just wants to see them). Wishing everyone a virus free day, Steve +More -- Steve Marak -- samarak@arachne.uark.edu

From: SelbyHort at aol.com on 2001.11.29 at 04:36:01(7854) In response to Steve Marak's message about the BadTrans virus: I did get a message today that looked like it might have been this virus. Of course, I did not open the attachment. I did not even read the message since the email address had an underscore for the first character. I just deleted the thing as soon as it popped into my box. I did get the following information from the moderator of another list I subscribe to. He posted the details below: +More an E-mail address proceeded by an underscore. For example: _telewski@cpp.msu.edu as opposed to: telewski@cpp.msu.edu These files contain an audio file which contains the W32badtrans.B@mm virus.> Would our listserve not even recognize any address with an underscore as being a subscriber? Is so, the message would not be processed and distributed to the list. Is this correct, Steve? Donna Atwood

From: Steve Marak samarak at arachne.uark.edu> on 2001.11.29 at 06:37:00(7855) On Wed, 28 Nov 2001 SelbyHort@aol.com wrote: > In response to Steve Marak's message about the BadTrans virus: .. > Would our listserve not even recognize any address with an underscore as > being a subscriber? Is so, the message would not be processed and distributed > to the list. Is this correct, Steve? The short answer is you are correct, at least in this instance. That glosses over a lot, so read on only if you care for more detail. Aroid-L is a "closed" list - you have to belong to post - so messages from any address not in the list of subscibers will be rejected, whether the address is valid or not. This virus is altering real e-mail addresses into ones that are (probably) not real, and certainly aren't in our subscriber list, so it won't have much luck posting to Aroid-L even if Don and I failed to shoot it down. As to whether these addresses (with the leading underscore) are invalid .. well, that's a whole other can of worms. Strangely, last year at this time I was trying to mediate between pro- and anti- Microsoft factions on almost exactly this issue. If someone did manage to subscribe an address like this to the list, it would certainly accept anything they posted. (Don or I would probably zap it, though. For that matter, we'd probably zap the address as soon as we noticed it, too.) We don't know of any way to strip attachments from Aroid-L, leaving the text - if we did, we'd block all those HTML attachments that show up. We must either accept or reject the whole message. And the list processor will forward any type of attachment, whether it recognizes it or not. However, we don't let any kind of attachments other than those HTML duplicate messages go out on Aroid-L (really, we only allow those because it's so hard to turn off that feature in some mailers that a lot of people wouldn't be able to post). One reason is just this - it drastically reduces the chance we'll contribute to the spread of a virus through Aroid-L, and doesn't put Don and I in the error-prone position of trying to separate the sheep from the goats. We have seen virused attachments show up in posts to Aroid-L, from legitimate subscribers, and had we not killed the posts the virus would have been forwarded to everyone. Another is that most attachments (again, other than the HTML duplicate messages) show up in "encoded" form, meaning they take up more room than plain text, and many - audio, video, and image for instance - tend to be way larger than even a very long note. For people who do not have mailers that automatically handle these attachments or don't have high-speed internet access (and there are more of them than most people realize), it can multiply their connect time, and maybe cost, to download mail several times. It can also overflow people's mail storage quickly, especially if they can't check mail every day - we see lots of bounce messages from that. (Posting images on a web site is a more efficient option anyway, from the network perspective.) Several other lists I'm on have turned on features that strip out attachments since this last virus scare started. A good idea - except for the poor image list moderators, who just have to take their lumps - but in this case all the copies of the virus I got came not from lists but directly from individuals, referencing a note I had sent to some list to which they were subscribed. Steve +More -- Steve Marak -- samarak@arachne.uark.edu

Note: this is a very old post, so no reply function is available.