AFRO-NETS> VIRUS ALERT! - W32.Badtrans.B@mm

[Brian Pazvakavambwa <pazvakavambwab@who.ch>]

VIRUS ALERT! - W32.Badtrans.B@mm
----------------------------------

Colleagues,

This worm has infected some computers on this network. Our antivirus
firewall picked infected messages from the following e-mail ad-
dresses:
   gwwaring@worldnet.att.net
   jihs@telecom.net.et
   schwarz.herznach@pop.agri.ch

Below is an abridged version of the information on the virus and 
how to remove it from your computer if you are infected. The full
details are found on the Symantec Security Response web-page at:
http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

Regards,

Dr. Brian Pazvakavambwa

World Health Organization
mailto:pazvakavambwab@who.int
http://www.bpazva.8m.com

--

W32.Badtrans.B@mm
Discovered on: November 24, 2001 
Last Updated on: November 29, 2001 at 05:04:14 PM PST 

Type: Worm 

Infection Length: 29,020 bytes 

Virus Definitions: November 24, 2001 

Technical description: 

This worm arrives as an email with one of several attachment names 
and a
combination of two appended extensions. The first will be one of the
following:

.doc
.mp3
.zip

The second extension that is appended to the file name is one of the
following:

.pif
.scr

The resulting file name would look similar to CARD.Doc.pif or
NEWS_DOC.mp3.scr.

If SMTP information can be found on the computer, then it will be 
used for the From: field. Otherwise, the From: field will be one of 
these:

"Mary L. Adams" <mary@c-com.net>
"Monika Prado" <monika@telia.com>
"Support" <support@cyberramp.net>
" Admin" <admin@gte.net>
" Administrator" <administrator@border.net>
"JESSICA BENAVIDES" <jessica@aol.com>
"Joanna" <joanna@mail.utexas.edu>
"Mon S" <spiderroll@hotmail.com>
"Linda" <lgonzal@hotmail.com>
" Andy" <andy@hweb-media.com>
"Kelly Andersen" <Gravity49@aol.com>
"Tina" <tina0828@yahoo.com>
"Rita Tulliani" <powerpuff@videotron.ca>
"JUDY" <JUJUB271@AOL.COM>
" Anna" <aizzo@home.com>

The worm writes email addresses to the %System%\Protocol.dll file to 
prevent multiple emails to the same person. Additionally, the 
sender's email address will have the "_" character prepended to it, 
to prevent replying to infected mails to warn the sender (eg 
user@website.com becomes _user@website.com).


Removal instructions: 

The preferred way to remove this worm is to use the W32.Badtrans.B@mm
Removal Tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.
b@mm.removal.tool.html
If you are not able to obtain it for any reason, you must remove the 
worm manually.

Manual removal 
To remove this worm manually, you must first remove the worm files 
and then reverse the change that it made to the registry.

Remove the worms files
Follow the instructions for your version of Windows.

Windows 95/98/Me/2000/XP
Because the worm file may be in use, you must, in most cases, restart 
in Safe mode before Norton AntiVirus can delete it.

CAUTION: For Windows Me users only. If you are using Windows Me, you 
should follow the instructions in the section System Restore option 
in Windows Me that is located at the end of this document before you 
begin the removal procedure.

1. Run LiveUpdate to make sure that you have the most recent virus
   definitions.
2. Restart the computer in Safe Mode. For instructions on how to do
   this,read the document for your operating system:

How to restart Windows 9x or Windows Me in Safe Mode.
How to start Windows 2000 in Safe mode.
How to start Windows XP in Safe Mode.

3. Start Norton AntiVirus (NAV), and make sure that NAV is 
   configured to scan all files. For instructions on how to do 
   this,  read the document How to configure Norton AntiVirus to
   scan all files.

4. Run a full system scan.

5. Write down the names of any files that are detected as 
   W32.Badtrans.B@mm,and then delet them.

6. When the scan is finished, go on to the section Edit the registry.

Windows NT
Because the worm file may be in use, you must, in most cases, 
End Process on it before Norton AntiVirus can delete it.

1. Run LiveUpdate to make sure that you have the most recent virus
   definitions.
2. Press Ctrl+Alt+Delete one time.
3. Click Task Manager.
4. Click the Processes tab.
5. Click the "Image Name" column header two times to sort the 
   processes alphabetically.
6. Scroll through the list and look for kernel32.exe. If you find 
   the file, click it and then click End Process.
7. Close the Task Manager.
8. Start Norton AntiVirus (NAV), and make sure that NAV is 
   configured to scan all files. For instructions on how to do 
   this, read the document How to configure Norton AntiVirus to 
   scan all files.
9. Run a full system scan.
10. Write down the names of any files that are detected as
    W32.Badtrans.B@mm, and then delet them.
11. When the scan is finished, go on to the section Edit the 
    registry.


Edit the registry:

CAUTION: We strongly recommend that you back up the system registry 
before you make any changes. Incorrect changes to the registry could 
result in permanent data loss or corrupted files. Please make sure 
that you modify only the keys that are specified. Please see the 
document How to back up the Windows registry before you proceed. This 
document is available from the Symantec Fax-on-Demand system. In the 
U.S. and Canada, call (541) 984-2490, select option 2, and then re-
quest document 927002.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

4. In the right pane, delete the following value:

Kernel32   kernel32.exe

CAUTION: The reference to Kernel32 is the most common value that is 
added by the worm, but it is not the only one possible. In some 
cases, it may not be there. In addition to looking for and deleting 
this value if found, you must also look for values that refer to any 
file names that were detected as infected by this worm when you ran 
the full system scan. All such values must be deleted.

5. Click Registry, and then click Exit.
6. Restart the computer.
7. To make sure that all files have been removed. Start Norton 
   Anti-Virus and run another full system scan.

Additional information: 

Prevention

Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which 
the second extension is .pif or .scr. Any email that has such an at-
tachment should be deleted.

System Restore option in Windows Me
One of the new features of Windows Me is System Restore. This fea-
ture, which is enabled by default, is used by Windows to restore 
files on your computer in case they become damaged. Windows Me keeps 
the restore information in the _RESTORE folder. 
A _RESTORE folder is created on each hard drive on the computer; 
these folders are updated when the computer restarts.

If the computer is infected with W32.Badtrans.B@mm, then it is possi-
ble that the worm could be backed up in the _RESTORE folder. By de-
fault, Windows prevents System Restore from being modified by outside 
programs. Because of this, any repair attempts made by the removal 
tool will fail. To work around this, you must disable System Restore 
and restart the computer. This will purge the contents of the 
RESTORE folder. You must then run the removal tool again.

To disable System Restore: 
Follow the steps listed below the following figure. Use the numbers 
in the figure for reference.

1. Close all open programs. Then, right-click My Computer on the 
   Windows desktop
2. Click Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore.
7. Click OK.
8. Click OK.
9. Click Yes to restart. This disables the System Restore feature 
   and will purge the contents of the _RESTORE folder when the system
   is restarted.

NOTE: After following all of the removal instructions, repeat steps 1
through 9, except in step 6, uncheck Disable System Restore.

--
To send a message to AFRO-NETS, write to: afro-nets@usa.healthnet.org
To subscribe or unsubscribe, write to: majordomo@usa.healthnet.org
in the body of the message type: subscribe afro-nets OR unsubscribe afro-nets
To contact a person, send a message to: owner-afro-nets@usa.healthnet.org
Information and archives: http://www.afronets.org