[CR]OffTopic Advice from an AV expert

(Example: Framebuilding:Paint)

From: <Gjvinbikes@aol.com>
Date: Fri, 30 Nov 2001 11:41:05 EST
To: classicrendezvous@bikelist.org
Subject: [CR]OffTopic Advice from an AV expert

In a message dated 11/30/01 10:53:53 AM Eastern Standard Time, TW406@aol.com writes:


> I have one this morning from rabbitman.
>

The virus you have received is almost certainly the .b version of "W32.BadTrans@mm" (a Windows Mass Mailer), which was discovered in the UK last week. This virus, unlike most others, is activated WITHOUT clicking on the attachment, but by simply opening the email in a preview window, at least for users of either Microsoft's Outlook or Outlook Express.

See: http://vil.nai.com/vil/virusSummary.asp?virus_k=99069 for details.

Dale's warning about not opening attachments is sound advice in general, but does not apply in this case as the virus writer is exploiting one of the many MIME exploits available to bad guys via Outlook products. I repeat - if you have even just seen the message in an unpatched Outlook or Outlook Express preview window, without having clicked the attachment, you yourself are infected by BadTrans, and it is mailing itself out to addresses it is getting from within your system.

You cannot get any virus directly from the CR mailing list, as the list contents are stripped of all MIME attachments by the list host's StripMime software. You CAN get the virus from messages sent to you directly from CR members, or anyone else.

Before I retired, I was a major player in the antivirus industry, taking viruses apart and writing detection and removal software for products like Virex, Dr Solomon's and McAfee (NETA). McAfee and other major AV products detect and remove BadTrans, but ONLY via their most recent updates !

Glenn Jordan - Durham, NC