Hi All,
I've noticed that a few of you have been chatting about Badtrans -
according to Symantec, if you drop the underscore from the "From:" address,
you should end up with the user's actual e-mail address - if the virus chose
to use the actual address...
I've picked apart the message source and what it does is quite sneaky -
it uses an IFRAME to load the virus and also uses
MIME-headers-within-MIME-headers... A few of the regulars on alt.comp.virus
might want to elaborate... It's a crafty little bugger - it even installs a
keystroke logging trojan... Anyone remember the so-called "Sexyfun" or
"Spirale" virus (it's real name was Hybris) - it came in an e-mail from
hahaha _at_ sexyfun.net and could update itself over the web with new
"plugins"... One of which displays a _huge_ hypnotic spiral on-screen...
Sophos put a screenshot of it on their website (www.sophos.com).
Later.
--
Phil.
philpem_at_bigfoot.com
http://www.philpem.f9.co.uk/
Received on Thu Nov 29 2001 - 13:52:29 GMT