Badtrans

Hi All, I've noticed that a few of you have been chatting about Badtrans - according to Symantec, if you drop the underscore from the "From:" address, you should end up with the user's actual e-mail address - if the virus chose to use the actual address... I've picked apart the message source and what it does is quite sneaky - it uses an IFRAME to load the virus and also uses MIME-headers-within-MIME-headers... A few of the regulars on alt.comp.virus might want to elaborate... It's a crafty little bugger - it even installs a keystroke logging trojan... Anyone remember the so-called "Sexyfun" or "Spirale" virus (it's real name was Hybris) - it came in an e-mail from hahaha @ sexyfun.net and could update itself over the web with new "plugins"... One of which displays a _huge_ hypnotic spiral on-screen... Sophos put a screenshot of it on their website (www.sophos.com). Later. -- Phil. philpem(a)bigfoot.com http://www.philpem.f9.co.uk/