[saymaListserv] Worm arriving at YM office...

Mary Calhoun moriah at preferred.com
Thu Nov 29 13:07:55 JEST 2001

Dear Friends,

A newly-identified piece of malicious software (a worm) was intercepted
in e-mails to the office 3 times in the last 2 days from f/Friends
within 3 different meetings in SAYMA.

The worm e-mails itself, thereby taking advantage of the fact that a lot
of us have each other's e-mail addresses.

Following are excerpts from a posting by Symantec, the Norton AntiVirus
company.  To read the entire article, go to


The worm is rated threat level 4 (max is 5).

If you're running antivirus software, it would be prudent to make sure
you've updated its virus definitions.  If you're not running AV
software, you might want to consider doing so!



Symantec Security Response

W32.Badtrans.B at mm

Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 10:49:03 PM ZE8

Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
November 26, 2001.

W32.Badtrans.B at mm is a MAPI worm that emails itself out using different
file names.

Threat Assessment:

    Wild: High
        Number of infections: More than 1000
        Number of sites: 3 - 9
        Geographical distribution: Low
        Threat containment: Easy
        Removal: Easy

    Damage: Low
        Large scale e-mailing: Uses MAPI commands to send email.
        Compromises security settings: Installs keystroke logging Trojan

    Distribution: High
        Name of attachment: randomly chosen from preset list
        Size of attachment: 29,020 bytes

Technical description:
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions

In all cases, MAPI will be used to find unread mail to which the worm
will reply. The subject will be "Re:".

In all cases, the worm will append two extensions. The first will be one
of the following:
The second extension that is appended to the file name is one of the
The resulting file name would look similar to CARD.Doc.pif or

If SMTP information can be found on the computer, then it will be used
for the From: field. Otherwise, the From: field will be one of these:

"Mary L. Adams" <mary at c-com.net>
"Monika Prado" <monika at telia.com>
"Support" <support at cyberramp.net>
" Admin" <admin at gte.net>
" Administrator" <administrator at border.net>
"JESSICA BENAVIDES" <jessica at aol.com>
"Joanna" <joanna at mail.utexas.edu>
"Mon S" <spiderroll at hotmail.com>
"Linda" <lgonzal at hotmail.com>
" Andy" <andy at hweb-media.com>
"Kelly Andersen" <Gravity49 at aol.com>
"Tina" <tina0828 at yahoo.com>
"Rita Tulliani" <powerpuff at videotron.ca>
" Anna" <aizzo at home.com>

Email messages use the malformed MIME exploit to allow the attachment to
execute [to open] in Microsoft Outlook without prompting [without your
permission]. For information on this, go to:


Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted.


More information about the sayma mailing list