Closed Thread Icon

Preserved Topic: > VIRUS ALERT BIG TIME!!! BADTRANS Pages that link to <a href="https://ozoneasylum.com/backlink?for=16382" title="Pages that link to Preserved Topic: &amp;gt; VIRUS ALERT BIG TIME!!! BADTRANS" rel="nofollow" >Preserved Topic: &gt; VIRUS ALERT BIG TIME!!! BADTRANS\

 
Author Thread
maxtango
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Dec 2001

posted posted 12-11-2001 00:46

Hey I don'T know if this was posted, but I was attacked by the W32/Badtrans virus worm today:

If you have Norton AntiVir:
Run the Live update and then run the Virus Check. It should find a Kernel file and remove or isolate it. It worked here my computer is virus free again.

As far as I know the virus does no harm to your computer, data or files, but it is a worm with the purpose of using up your bandwidth by sending out mails to your entire outlook address book in the background. You won't find any mails in your sent folder and you don'T see the mails being sent unless you hav an email anti virus program that checks outgoing and incoming mails.

Please do run a virus program and more information can be found here:
[Sophos] http://www.sophos.com/virusinfo/analyses/w32badtransa.html

[McAfee] http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607

[antivirus.com] http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B

[Symantec] http://www.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

'tango


MYSTIKA
Paranoid (IV) Inmate

From: far, far, away, hidden beyond a magical mist...
Insane since: Oct 2001

posted posted 12-11-2001 00:58

Thanks for the 411!
i have Norton; will update immediately. My version has e-mail in/out A/V protection. But, will verify if all is enabled...

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 12-11-2001 01:11

got it last week.
this one is very tricky. it uses the name of the sender for email, so you think that mail is from a good friend you know.



maxtango
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Dec 2001

posted posted 12-11-2001 01:28

ya the friend email thing is nothing new - the bad thing is that you do not even have to open / double clikc it to get infected, so please people do two thigns:

get the removal tool from symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.removal.tool.html

or search for the file kernel32.exe and delete it.

it is one of the trickiest out there right now and really bad.

'tango


MYSTIKA
Paranoid (IV) Inmate

From: far, far, away, hidden beyond a magical mist...
Insane since: Oct 2001

posted posted 12-11-2001 01:41

I just ran Norton A/V Scan....All Clear!!!!!!!!!!!!!!!! Wahoo!!!!!!!!!!!!!!!!!!!!!!!!!!

Got Everything enabled.
Even searched every single exe command, all files, c/drive, etc.. Nada!!!!

Anything else?




[This message has been edited by MYSTIKA (edited 12-11-2001).]

cyoung
Paranoid (IV) Inmate

From: The northeast portion of the 30th star
Insane since: Mar 2001

posted posted 12-11-2001 02:04

I got that thing four times last week. OE5 Mac didn't know what to do with it.. heck, I had to forward it just to see the attachment. Don't worry, I used the send later button and deleted it from the out box. Might still be floating around my deleted items folder.. if anybody missed the excitement.

cyoung

Yum, crunchy!

DocOzone
Maniac (V) Lord Mad Scientist
Sovereign of all the lands Ozone and just beyond that little green line over there...

From: Stockholm, Sweden
Insane since: Mar 1994

posted posted 12-11-2001 02:09

I usually get at least a dozen copies of this each day, it's been going on for a while now! One of the benefits of having your email out there in the world so many places, heh. This is one of the reasons I check my mail on the Mac, saves me hassles later. (I also have a nice collection of nearly every virus you can get for the last 18 months, everyone needs a hobby. :-)

Your pal, -doc-

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 12-11-2001 13:48

Here lately I've been checking for updates every day. At my work, the office manager kept getting an email from a lady in our home office. It was the Goner Virus. Can be a bad one. I haven't seen this one around.


While we are on the subject, my firewall just caught this:
SSH Remote Login Protocol

It's coming from California somewhere.

Would anyone have any idea what SSH Remote Login Protocol is???? I got hit 27 times the other day back to back. Started to get real annoying.

Later,

C:\

MYSTIKA
Paranoid (IV) Inmate

From: far, far, away, hidden beyond a magical mist...
Insane since: Oct 2001

posted posted 12-11-2001 15:59

Checked my firewall and came up with these unfamiliar ones...:

kazaa from Santo Domingo, several times, and sun remote and alot from www from unkown ip's, a few from europe! ... are they legit? or should i be suspicious...?

Thank God i listened to u guys and got the ZoneAlarm and VisualZone before anything had time to get me!



[This message has been edited by MYSTIKA (edited 12-11-2001).]

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 12-11-2001 16:18

MYSTIKA:

I get PINGed about 10 times a day from some Sun Remote. Not sure what the hell it is. ZoneAlarm and Visual Zone can make you real paranoid. Just keep your ZoneAlarm and Virus protection updated constantly and you should be OK.

The one that I mentioned above got me kind of worried because it seems that someone tried to "log into" my computer. Again I have no idea what that is. The "More Info" on ZoneAlarm could give me no details either.

C:\

MYSTIKA
Paranoid (IV) Inmate

From: far, far, away, hidden beyond a magical mist...
Insane since: Oct 2001

posted posted 12-11-2001 20:18

Hey c/:

did the same, got same answer.
Paranoid, who me?! Nah; maybe! All u guys fault w/ the viruses!
lol!

ok, ok...sun remote pinged only a few times last week. and now that i checked, yes, they did try to log-on. so did some of those unkown ip's as the one from santo domingo.

Worried, yep. Paranoid...hmmmm....


CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 12-11-2001 20:39

MYSTIKA:

Yep, that is the same thing that happend to me. I was looking at the program listing in ZoneAlarm and there was something kind of strange there. There was a program that tried to access the internet that was called "Unknown...[Find Error]" Not sure what that was either.

I have searched through the registry to see if there were any malicious programs and I didn't see any. Oh well, I will go on about business as usual (until someone starts withdrawing money from my account )

C:\

MYSTIKA
Paranoid (IV) Inmate

From: far, far, away, hidden beyond a magical mist...
Insane since: Oct 2001

posted posted 12-12-2001 03:49

ipprotocal88
U talking about me! paranoid...it's obviously contagious, because u got me checking ZA and A in, out and all-around!

I'd say it be totally incredible if something were to get by me, now!
I found a warning at ZA about an IP protocol 88 which tried to get through my firewall 11 times within 1 min. Damn, persistant devil!

ok... updating like crazy 3 times a day from now on....
keep me posted!

lallous
Paranoid (IV) Inmate

From: Lebanon
Insane since: May 2001

posted posted 12-12-2001 08:02

DocOzone, nice that you're making such a fine collection!

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 12-12-2001 11:28

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

maxtango
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Dec 2001

posted posted 12-12-2001 15:34

Greetings to the Schweiz!

I thought the file was KERNEL32.EXE not KERN32.EXE ... correct me if I am wrong.

Gruetzi,
'tango

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 12-12-2001 15:53

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

maxtango
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Dec 2001

posted posted 12-12-2001 18:04

I am originally from Konstanz, living in Berlin, and up north here in Germany, hahaha, you tell people you are from Konstanz, they say: Switzerland? or Bavaria? ...dang I am calling for a new world order now...hahaha

'tango

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 12-12-2001 19:00

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 12-12-2001 19:20

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 12-12-2001 19:35

Well just as I was getting ready to tell you the bad news Ini, you found out that you had the virus. Is it just me that or are there a lot more virii running around these days or am I just keeping up with it more?

Good that you got rid of it.


C:\

maxtango
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Dec 2001

posted posted 12-13-2001 10:59

yeah Norton is good, the mails the Badtrans sent out in the background were only visible once you had the Symantec Mail Check activated - all of a sudden i had 30 Windows open calling Virus Alert in outgoing mail!

You gotta run the Live Update every now and then once a week, thenyou are pretty much on the safe side.

'tango

« BackwardsOnwards »

Show Forum Drop Down Menu