I don't usually jump up and down over virus warnings but it has just taken me 3hrs to get rid of one that slipped by Norton last night.
It was the W32BADTRANS.B@mm virus. This version was only logged by Symmantec on Saturday (24th) so unless you have updated in the last two days it will not be covered.
The virus loads files into the Windows System folders and adds a Registry entry to ensure they are running all the while so you can't delete them easily.
The "payload" is that the virus loads a program that can send information from your PC to the IP address that sent it to you, I gather it can transmit such things as all keystrokes you make on the PC and passwords etc.
It was only my Firewall that prevented this information (I hope) being sent from our PC, I have the IP No. that it was attempting to connect to and will investigate.
Symanntec appeared to say this should be an easy virus to remove manually but it was clinging onto our PC and has wasted a whole morning in cleaning it.
Seems somewhat topical given HJs comments a few threads down.
David
|
A very good online virus checker and remover can be found at:
housecall.antivirus.com/
for those without virus checker/the latest virus definitions...
Dan J
|
|
|
David
Thanks for the warning. How is the virus transmitted? And could you give a brief list of the affected files?
Thanks
Chris
|
Chris,
I think it came in on an e-mail with no subject and apparently no content, the virus attachment was also hidden.
As far as it affected me the files it created were kdll.dll and KERNEL32.EXE, both these located in C\Windows\System. Also there was the registry key it created to make the .EXE file run all the time (to stop you easily deleting it/them).
It made our system a little slow and unstable but the main issue is with the ability of the virus to send back critical data from your PC to the virus sender.
I'm not an expert on such matters but have a search round the anti virus sites and you'll see the full detail.
David
|
Thanks David. I'll check with the antivirus sites. I tend to be fairly safe from these things because I don't use a microsoft mailer, but it's not 100% safe by any means. Frightening to think that passwords and credit card numbers could be flowing freely to some scumbag's wabsite.
Cheers
Chris
|
|
|
|
|
errr you kinda need kernel32.exe so dont just go deleting it everyone!
|
Good advice on Kernel32. Keep a copy of the original somewhere safe.
Chris
|
|
i have deleted mine, oops :-(
|
|
|
|
Did anyone hear about that welsh kid who had about 20,000 credit card numbers on his website?
He posted Bill Gates a present to his house that he'd bought with Bill Gates' credit card!
I think he's banned from using a pc for about 10 years or something. Cant remember exactly what happened to the lad.
|
|
i think he sent some Viagra to Bill Gates.
|
|
|
|
Hope this is of help to anyone who needs it: Copied and pasted from www.antivirus.com
If you get infected, follow solution through to *** and then see my previous thread and use their
Info below
This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double extension filenames.
It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.
Solution:
Delete the %System%\CP_25389.NLS file.
Click Start>Run, type Regedit then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
In the right panel, look for following registry value:
kernel32
Click the registry value and then Delete it.
Restart your system.
*** Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
|
|
|
I don't want to appear more ignorant than I am, but how do you know when you've got this bug?
In view of your experience, I've just ordered a new McAfee VirusScan (Version6) from the Times supplement.....about £23. My machine came with McAfee, but you can't update it - you need to buy a retail version to do that apparently. Thanks for your advice everyone.
|
|
Just as a belated footnote to all this, beware of idiots speading virus rumours. Anything which arrives from a known friend saying anything like "Microsoft has just announced a new virus - - - " "AOl says this is very dangerous" is almost certainly a hoax. You are then invited to forward this message to everyone in your address book so if it is a virus you are spreading it and if it isn't you clogging up hyperspace with cr*p. A dodge from DT web supplement said put a non-existent adress as the first thing in your address book, like AAAAA. A virus can still get into your computer (bad luck) but can't send itself to everyone in your address book 'cos it can't access the first address. Excuse the rant! I hate rumour spreaders re viruses!
|
Pete
I'll certainly put a dummy address in my book, but with some vituses it isn't the whole answer.
My machine got infected recently, and whilst it e-mailed some addresses I recognised it also e-mailed a number of people who were not in my address book! Some of them were addresses that may be in files in my machine from websites I've visited, and the first I knew is when I got back a number of unexplained 'message not deliverable' notices, including one stating it had a virus.
All happened because I was slow to resubscribe to Symantec to keep NAV virus updates coming. I've done it now!
Always worth checking the Symantec site. Tends to have free downloads available for the current crop of nasties doing the rounds.
The virus was W32.sircam.worm@mm
I suggest you guys delete anything you get that starts:
'I send you this file in order to have your advice'
Regards
JS
|
|
|
|
These false warnings seem to have tailed off recently but, as Pete says, there is a format which one gets to recognise.
Often they contain phrases such as " a new virus was found yesterday". The "yesterday" bit makes it apparently current, whereas a genuine warning will contain date and maybe time, as well as a source address.
Beware anything that says "tell all your contacts" and use the free virus indexes such as McAfee which are updated daily.
The AAA false address trick will stop a virus going to a friend with, apparently, your stamp of authority on the message.
|
Pete and Brian,
Like you I am very wary of passing on virus info and will always check with Symmantec (or similar) for the hoax possibility.
I only posted on this one as it was such a pig to remove, and for the security aspect as I watched it try to access the Internet (my Firewall showed this) several times to (I guess) send some info from my PC to a third party.
Markymarkn,
Fully respect you may well know far more than me but are you sure the KERNEL32.EXE is needed (don't laugh). Every site giving advice on manually removing this specific BADTRANS variant said to delete this file plus kdll.dll.
I've done it and the PC is back to normal. My C\Windows\System does still contain KERNEL32.dll and Krnl386 so perhaps those are the ones you need. In any case I've the original (virus infected though) files saved to floppy.
Perhaps some of you with Windows 98SE would look in Windows\System and see which "Kernel" files you have.
David
|
|
i have deleted the kernel.exe file, and the computer is back to normal, so you dont need it.
|
|
|
|
I've just, for the first time ever, received an Email (without an attachment) that had no subject and no senders name (it was all blank). I've deleted it, but does this ring any bells ( or alarms) with anyone?
PS. No-ones yet come up with an answer to earlier query about how to recognize you've got a bug.
Thanks.
|
KB,
Sorry but this sounds like the mail that sent us the W32.BADTRANS virus.
If you have no anti-virus program the first sign of the virus (any) might be odd or sluggish PC performance. There are an infinite amount of virus types and they are all a little different.
Having said that you ought not to be operating on the Internet and using e-mail without a current anti-virus program frequently updated on-line. I do my updates weekly at least but was caught by a new virus only days after the last update.
The on-line service mentioned by DanJ and others is fine for an emergency scan but bear in mind it will just confirm if you have the virus and perhaps delete it, but by that time you might have passed it onto others or suffered the "payload" damage.
What you need is your own a/v program on your own PC running all the while. I don't know as much as some others but do e-mail off-site if you want more info.
PS: Also consider a Firewall. SWMBO saw the dodgy e-mail come in last night but had no idea it contained a virus. It was only the Firewall alerting me to the fact that this odd program was trying to connect our PC to another while I was on-line early today that made me do an update to our a/v program. Then a full system scan and the little devil was found.
David
|
|
|
|
|
David W: My system has only the .dll file and not the .exe.
|
|
|
|
I only have kernel32.dll, not the exe one, located in windows/system
|
|
|
The latest from me on WORM_BADTRANS.B is on the previous thread I started about it. E-mails with it attached are coming in faster than bombs on Kandahar. I've also had problems with www.antivirus.com , so check the original thread.
HJ
|
|
the 'badtrans' virus stopped me from going into ANY websites that are anti-virus related. but i managed to get in, only for antivirus.com to act strange.
|
|
|
|
David,
Thanks for the warning. I checked with McAfee and they say I am covered with their Clinic anti-virus stuff. Hope so. McAfee found a nimda virus a couple of weeks ago.
I saw something (can't remember what ) holding up a bug representing the virus: quite funny and yet not funny.
|
|
|
sorry chaps, DW is right, its kernel32.dll that you still need. Dont delete it (unless its infected with a virus then you knackered any way).
I knew it rang a bell so didnt want everyone deleting it to find their computers knackered and they cant get to the backroom anymore.
after more research, the viral Kernel32.exe is a little nasty program that detects if your online or not and if you are will connect to the virus authours website and download further nasties on to your pc! (hence the reason why firewalls are picking it up).
Laters chaps,
Mark
|
Mark
Worrying - I've just done a search and kernel32.exe doesn't appear to be on the NAV virus list dated 24 Nov. Unusual. Is this a very new virus?
Regards
JS
|
Hello John,
Kernel32.EXE is the file that the W32BADTRANS.B@mm virus creates and it's the program that is the virus payload.
This new version of BADTRANS was only really seen from teatime on Friday 23rd, Symanntec issued their update to cover it a day later so it is still a very new virus.
Another bit of info I noticed last night was that this is exploiting a hole in the OE program and there is a patch on Windows Update for it, I'll have a look in a while. That would have the advantage of stopping all virus types that exploit the OE bug, until the virus creators get round it again of course.
Just to move on-topic for a minute I know some of the real pro guys have a datalink to the PC from their engine diagnostic. What chance of a virus getting to the engine ECU via that route? A diesel with fly-by-wire throttle and a virus might be a tricky beast.
David
|
|
|
|
SWMBO had a garbled text message on her mobile last night with the only sensible bit being a request to reply to phone number *971 505 444 081.
Unfortunately she replied to it before checking with me and I have a nasty feeling that the whole of Nigeria's phone traffic will appear on our next bill! Vodafone are checking it out.
The moral is: if you see anything that you don't recognise or you have a bad feeling about, delete it PDQ.
|
|
|
|
Thanks, DW for advice and offer. Nothing evident as we speak. Given HJ's prob's I'd wondered if his machine (which may have my details on it following recent Email to him), has sent it on to others, like yourself/myself. *Perhaps* I'm lucky in that I deleted it without reading it?? I love these machines when they're working, but they frighten the living daylights out of me when they go wrong. I might be a bit handy with hand and power tools, but these things have minds of their own.
|
|
|
