Date: Mon, 26 Nov 2001 15:27:18 -0500 From: "Bara Zani" <bara_zani@yahoo.com> To: "Jeff Craton" <_jeff@onlinecommercecorp.com> Cc: <freebsd-questions@freebsd.org> Subject: Re: Re: Message-ID: <03b901c176b8$c0102c70$fd6e34c6@mlevy> References: <200111261521.KAA22514@ns2.therackroom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
dear jeff youre systems is infected with the W32.Badtrans.B@mm worm !!!! please make sure you clean it up . refrence about that worm can be found in the bottom ... to list members using MS clients , don't open any attachments for mr craton ! We saw this rising on Friday and today found out that MessageLabs is seeing 400 copies/hour over the weekend (which is extremely high volume of infected messages given it was the weekend); http://www.messagelabs.com/viruseye/report.asp?id=86 We've talked about the potential of this delivery mechanism on NTBugtraq several times, but tomorrow those of you who manage email servers are likely going to find numerous copies in your mail stores (or user's inboxes). This thing exploits a vulnerability in some versions of Internet Explorer (see below) that was first fixed back on March of this year. The way these versions of IE handled certain MIME types allowed files to be delivered that would automatically execute when the email was opened (when using Outlook) or rendered in the Preview Pane (when using Outlook Express). It was subsequently used by Nimda in two of its propagation mechanisms (it used .eml and .nws files via HTML to delivery the MIME header, and also mass mailed messages formed specifically to exploit this vulnerability). TruSecure's analysis of this over the weekend leads us to believe that a great many people must not have applied the patch, or other packages that deliver the patch. This should be considered carefully by anyone who thinks there's a reasonable amount of time within which people apply such patches, we're talking more than 6 months and 4 packages that contained the fix for each affected version, yet we still seem to be seeing this thing get considerable legs. Although this is a BadTrans variant, it has been repackaged (compressed) and as such probably requires an AV update to be detected. Most AV Vendors should have updates available by the time you read this, check with them. Ultimately the message comes with a MIME Content Type of "audio/x-wav", and a double extension (.doc.scr) ending in .scr or .pif. The attachment itself is a Win32 executable. If executed it will mass-mail itself, probably as replies to unread messages in your inbox. NTBugtraq posters may have already received some in response to their list messages (I have). See your AV Vendor for more details. That done, take a minute to review the possible IE patch mechanisms described below. We predicted, when this vulnerability was first discovered, that this was going to be heavily exploited. Nimda's email component didn't seem to work very well, still unclear precisely why, but its web browser propagation certainly seemed effective. Now this BadTrans variant, and we will likely see more. If you cannot get your browsers to one of the unaffected versions for some reason other than time/manpower, drop me a note and let me know why. I'd like to understand what's preventing this vulnerability from going away. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03b901c176b8$c0102c70$fd6e34c6>