BadTrans Worm Information
SEVERITY: MODERATE
TECHNOLOGY AFFECTED: Internet Explorer 5.01 SP1 and 5.5 SP1
DATE: 11/26/2001
TECHNICAL DETAILS:
A new virus W32/BadTrans.B-mm is being seen in high distribution on the internet that utilizes a previously patched vulnerability.
The virus is a mass mailing worm that also delivers a keystroke logging Trojan.
The virus makes use of the MS01-020 exploit, which means that the virus can execute on reading or previewing the email from within Outlook - it is not necessary to double click on any attachment. A patch to fix this exploit has been available since March from Microsoft.
Contact your AV vendor for more details on methods of infection and the payloads.
PREVENTION OF INFECTION Part 1:
Corporate email filtering systems should block all emails that have attachments with the extensions .scr and .pif.
PREVENTION OF INFECTION Part 2:
Ensure that you have applied, or that you apply the patch for MS01-020
PREVENTION OF INFECTION Part 3:
The Outlook Email Security Update in its default configuration will also block this virus. This functionality is included in default configurations of Outlook XP.
UPDATES:
Due to the severity of this alert and the conditions which must exist for this worm to take advantage of your system we will not be issuing another alert unless:
The severity of the attack changes
Details regarding the attack change
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or our PC Safety line at 1-866-PCSafety.
PSS Security Response Team
