This is the latest installment of a new series of monthly updates on computer viruses. The information is provided by the Lab's Computer Protection Program. The viruses described below are all being blocked by the Lab's "virus wall," which scans all incoming email with "lbl.gov" addresses for viruses. Employees who maintain their own Lab email servers should check to ensure that these systems have updated antivirus software.

BADTRANS.B

This worm, discovered just last week, spreads very fast and some Berkeley Lab computers have been infected. It affects only systems running Microsoft Windows. The worm uses several different methods to gather passwords and keystrokes and then sends that information to several different email addresses. It transports itself by email, gathering email addresses from address book, incoming mail and cached webpages.

Identification:

• Subject: Replies to incoming e-mail, so the subject will be a reply (RE:)
  
• Message: There is no unique identifiable message.
  Attachment will have the name: Pics, images, README, New_Napster_Site, news_doc, HAMSTER, YOU_are_FAT!, stuff, SETUP, Card, Me_nude, Sorry_about_yesterday, info, docs, Humor, funPICS, NEWS_DOC, SEARCHURL, S3MSONG, or FUN with the double extensions: .doc.pif, .mp3.pif, .zip.pif, .doc.scr, .mp3.scr, or .zip.scr
  

Removal:
A current version of Norton Antivirus with 11/24/01 or later signature file will remove it., but the registry must be modified to keep the virus from reoccurring after a reboot. For more information, click here.

*************

ALIZ

This worm is also spreading rapidly, but affects only Microsoft Windows systems. The worm does not damage the system or files, but emails itself to everyone in Windows address book. The Mime message in the body of the e-mail can launch the worm simply by opening the message under Outlook and Internet Explorer 5.0 or 5.01. The vulnerability in Internet Explorer that allows this to happen can be fixed with a downloadable patch.

Identification:

• Subject: Randomly choose words from each of the following list:
  Fw:, Re:, Fw:R: Cool, Nice, Hot, some, Funny, weird, funky, great, Interesting, many website, site, pics, urls, pictures, stuff, mp3s, shit, music, info to check, for you, i found, to see, here, - check it !!, !, :-), ?!, hehe ;-)
  

For instance, the subject might be "Fw:funky site -check it :-)"

• Message: MIME message with HTML formatting that will make the body appear empty, or in some case the word "peace" will appear.
• Attachment: "Whatever.exe"
  

Removal:
A current version of Norton Antivirus with 5/22/01 or later signature file will remove it.

For more information, click here.
*************

KLEZ

The KLEZ virus is not spreading very quickly, and affects only systems running Microsoft Windows. The virus is programmed so that on the 13th of every odd numbered month the virus will overwrite files. It transports itself by email, sending itself to everyone in Windows Address Book. It may also auto open when email is read. It can also spread via network folders that are writable by the infected machine.

Identification:

• Subject: May be blank or one of the following: Hi, Hello, How are you?, Can you help me?, We want peace, Where will you go?, Congratulations!!!, Don't cry, Look at the pretty, Some advice on your shortcoming, Free XXX Pictures, A free hot porn site, Why don't you reply to me?, How about have dinner with me together?, Never kiss a stranger.
• Message: The message field may be blank or contain one of the following: I'm sorry to do so,but it's helpless to say sorry., I want a good job,I must support my parents., Now you have seen my technical capabilities., How much my year-salary now? NO more than $5,500., What do you think of this fact?, Don't call my names,I have no hostility., Can you help me?
• Attachment: Random filename with .EXE extension
  

Removal:
A current version of Norton Antivirus with 11/08/01 or later signature file will remove it.

For more information, click here.