From:
Subject: [BLACK-L] RE: More virus information
Date: Fri, 15 Jun 2001 21:36:17 EDT
Hello all....
Here is some more information that I found on a site in regard to the virus.
This explains why the names were different. However, it doesn't explain why
my virus software did not catch it the first time.
<A HREF="http://www.sarc.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.html','w32.badtrans.13312');">Virus Advisory - 17 April 2001 - W32.Badtrans.13312@mm</A> :
W32.Badtrans.13312@mm is a MAPI worm that replies to all unread messages in
your e-mail message folders, and drops a executable backdoor Trojan called
Hkk32.exe in the \Windows folder, executes it, then copies itself to the
filename inetd.exe. It then modifies the Win.ini file by adding itself to the
run= line.The next time that the computer is rebooted, the worm will wait for
5 minutes, then it will use MAPI to reply to all unread e-mail messages. The
worm attaches itself to the message, using one of the following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif