Ireland List Virus Page

The Ireland List
Virus Information Page

About the Site Music

The Music being played is called "In the Mood" by Glenn Miller. It was chosen because it spiced up an otherwise dull page. :) Hope you enjoy it.

Viruses and the Mail List

According to Rootsweb's FAQ (, Rootsweb States:

"A List Administrator is the person responsible for the daily operations of the list and is expected to handle bounced messages and help subscribers with list problems."

"The List Administrator decides the character of the list, including what topics are allowed or not allowed. Some are very strict about this and others are very relaxed. A list admin may take an active role in keeping a list on topic and will monitor the list for objectionable posts or behavior."

"It is RootsWeb's policy not to interfere in the daily workings of a list and will intervene only in extreme cases."

"He or she (the List Admin) may remind the subscribers about the evils of bogus virus warnings and other hoaxes to keep them from spreading since these things waste RootsWeb's resources."

As you read through all the Rootsweb FAQs, you will find things states such as:

Generally, you are asked to stay on topic and not post things like flames (insults, name calling, etc.,) virus warnings or hoax warnings.
Found on

A Genealogy-Related Mail List should concern far more than just Names, Dates and Places. It should contain many other items of interest to the List Members, and one of those items is the topic of Computer Viruses. The posting of a Virus Warning is not unlike the Public Service Announcements you see on TV and just like the Public Service Announcements, a person can pay attention to them or ignore them. However one must realize that this is up to the List Admin of the particular List in question to decide.

On the Ireland Mail List, the List Admin tolerates Virus Warnings being posted to the list -- just as long as they don't get too out of hand. :) In a Message to the Mail List, the List Mom states:

A Chairde,

As a security measure, I have been forced to unsubscribe two listers this morning because their computers are infected.

Please, please, I urge all of you to run a virus scan and update virus software immediately, but most of all NEVER OPEN AN ATTACHMENT, unless you know very specifically it is intended to be sent to you. Email the person and ask "did you send me an attachment?"

Please be nice about it because if the virus is sent it is unintentionally being sent out by an infected computer, not by the persons themselves.

Your first indication might be a warning from someone who has received the contaminated email attachment from your address.

Please see:

and search for the fix.

If I receive a contaminated email attachment with your address, my first course of action will be to unsub your address from the list to protect other subscribers. I will notify you of the virus problem and help in any way I possibly can.

Thanks for your cooperation.

Kind regards,
Ireland List Mom

Please note that she does not state that the Posting of Virus Warnings are Off-topic.

One should take care when posting Virus Warnings.

The first thing you should do is to go to a WEB Site like Norton's (Symantec) or McAfee's and see if they list the Virus you plan to report as a Hoax. These are a couple of the best sites on the net for accuracy about Viruses and Hoaxes.

The Second thing to do is to pay attention to the other messages on the list, before posting your warning, check to make sure someone else hasn't posted the warning already.

An easier way to make the List aware of Viruses is to send it to the List Admin and let him/her handle it. If the Virus Warning is not posted, then odds are it has been posted in the recent past.

A third way is to start a list of recent Virus Warnings for this site and urge all List Members to utilize the List on a daily or weekly basis. When we see a Newby come onto the List, he or she can then be guided to the WEB Site for such information.

There are other things which could be added to the above bits of advice, but these should suffice for now.

The List Mom, and many List Members, appreciate the postings about a new virus out there (or an old one which is making the rounds again, for that matter) - however, we must also remember that the reason for joining this list was not to receive Virus Warnings. The Members should be tolerant of the Virus Warnings posted, but at the same time we should strive to not cause unnecessary postings. :)


You will also find a statement from Rootsweb entitled "Virus Warnings" at It reads:

Virus warnings

RootsWeb's mailing lists are filtered and attachments are not allowed. A virus that is distributed as an attachment will not reach you through a RootsWeb mailing list.

A recent virus, and several imitations of it, may result in your receiving an e-mail (or a greeting card) with a virus attached, that appears to come from RootsWeb or from an address you are familiar with. Some virus will send a message to all the unread messages in the infected person's mailbox folders, with the virus attached. It may include the original message followed by instructions to look at the attachment. Another will use addresses found in the infected person's address book. They send messages using a forged address (for instance, using RootsWeb or the infected person in the return address). The subject line and message may indicate it is in response to a message you sent, making it even more credible. While it may appear to come from RootsWeb, that is only an illusion of the virus -- our address and the subject line is a forgery.

What can you do? Protect yourself by never opening an attachment from someone you do not know, or that look suspicious. If an unexpected attachment comes from someone you do know, write to confirm they sent the attachment prior to opening it. If you have an e-mail from RootsWeb, and there is an attachment of any kind, don't open it. If you clicked on an attachment and received a message that the file was corrupted, it likely means your computer has been infected by the virus.

Most importantly, use a virus protection program. Know what viruses are out there so you will recognize one when if you get it. There are sites that will help you, including those shown below.

Remember, if you do not open the attachment, you substantially reduce the chances of becoming infected with a virus. Delete it. Then empty the trash bin to make sure it is gone. If you are using an e-mail program that stores attachments elsewhere on your computer, such as Eudora, find it there and delete it too.

Tips about Virus Warnings

See the Virus FAQ at:

The Ireland List Virus FAQ Page

China Attacks!

It seems people are conditioned to the idea that if we hear something on the News, or read it in a "Bonifide" or "Acredited" News Source, that it must be true.

Many of us has spotted errors in News Stories over the years. Even though we spot these stories, a part of us seem to justify it as it being a rare event, and go on thinking that the other News Stories we see must be accurate.

In addition, it seems we also are conditioned to basically believe that other professionals mostly give out complete and accurate information.

If a statement is given and it comes from a government agency or the person has a list of initials after his name which represents his degrees, we then tend to figure the information is true.

A recent issue arose over the "Chinese" threatening to attack the internet. These reports gave me several hours for amusement. I found this article, which I found amusing and thought-provoking, at the VMyth's site. The Article is incomplete because I do not show the Links they did with in their article. To get the full scope of what they say, a person should log onto VMyths and read the article as they posted it.

Chinese hacker riot (April-May 2001 hysteria)

"FBI NIPC habitually cries wolf when 14yr-old braggarts "publicly discuss" their diabolical plans to wipe out the Internet."

The FBI's National Infrastructure Protection Center (FBI NIPC) issued an alert about "increased Internet attacks against U.S. web sites and mail servers possible in early May." The agency based its warning on a recent international incident between U.S. and Chinese military aircraft. The U.S. military forwarded the cyber-alert to its units stationed around the globe.

FBI NIPC issued the warning more than a week after news stories (e.g. MSNBC, ABC, Wired) first highlighted the perceived threat. The agency explained "[malicious] Chinese hackers have publicly discussed increasing their activity during" the period of 1-7 May 2001. "To date, hackers already have unlawfully defaced a number of U.S. web sites, replacing existing content with pro-Chinese or anti-U.S. rhetoric... Network and system administrators are encouraged to more closely monitor their web sites" during the predicted danger period.

The FBI NIPC alert used "trigger phrases" such as "unlawfully defaced" and "illegally exploited." As a result, credulous reporters have written stories about an "upcoming cyberwar." Chinese hackers have received much of the attention up to this point -- so watch for reports of "possible counterattacks" by teenage braggarts living in the U.S. dismisses the weeklong "hacktivism" as an empty threat. Here's why:

  1. An astonishing number of Chinese citizens have never made a telephone call, let alone used the Internet. China currently owns a limited amount of Internet bandwidth with few direct routes to the U.S. The country as a whole fosters relatively few Internet-savvy computer users.
  2. China further limits Internet access as part of its closed-border policy. Internet connections pass through monitored "bottlenecks" so the police can filter out western influences which might contaminate their sociopolitical ideology. E-commerce sites, for example, are viewed as a dangerous new capitalist tool. doubts Chinese hackers can access a popular e-commerce site, let alone attack it. Any hacker who circumvents China's Internet filters faces a jail sentence for violating ideology.
  3. History suggests this "hacker riot" will go down as a non-event -- just like all the others before it. China's 14yr-old hackers suffer from narcissistic personality disorder, too. They reflexively brag about their god-like powers and they reflexively threaten to smite others with their god-like wrath. The only difference here is that FBI NIPC gives credence to what Chinese boys write or say.
  4. insists it'd take more than a week to cyber-destroy the western hemisphere, and it'd certainly take more than a couple of childish braggarts. International Computer Security Association (ICSA) employee David Kennedy publicly downplayed FBI NIPC's alert with this paraphrase: "one if by land, two if by sea, three if by 'Net."
  5. FBI NIPC habitually cries wolf when 14yr-old braggarts "publicly discuss" their diabolical plans to wipe out the Internet. In their two most embarrassing examples, agency officials freaked out when teenagers threatened to unleash deadly Y2K viruses on 1/1/2000 -- and they freaked out again when teenagers threatened to launch Y2K+1 attacks on 1/1/2001. The antivirus industry won't openly admit it, but they dismiss FBI NIPC as a laughingstock.

There are many reasons why "Experts" and "the Media" can be wrong. The Media is often limited to space and time limitations, which dictates how much data could be given out and often the amount of time isn't enough to properly present the informaiton. And People are often looking for notoriety and fame.

So next time you hear a news report, just keep in mind that you might not be given the full story. :)

The Dreaded Amish Virus!
Submitted by: tmeehan

I think it's time for something else to smile over!

You have just received the Amish virus. Because we don't have any computers, or programming experience, this virus works on the honor system.

Please delete all the files from your hard drive and manually forward this virus to everyone on your mailing list.

Thank you for your cooperation.


The BADTRANS Virus is still making it's rounds on the Email Lists. As with most email virii, the real problem with the Virus comes in when the File Attachment is opened and the system is infected. It is then that the virus begins to spread at sxponential rates.

This write up on the BADTRANS Virus, from the Symantec Site, is one of the best write ups about the Virus that I have seen:

[email protected]
Discovered on: April 11, 2001
Last Updated on: May 8, 2001 at 08:39:43 AM PDT

Printer-friendly version

Due to an increase in the number of submissions, [email protected] has been upgraded to a Category 4 threat. It is a MAPI worm that replies to all unread mails in your email message folders, and drops a backdoor Trojan.

Also Known As:

  • W32/Badtrans-A
  • W32/[email protected]
  • BadTrans
  • IWorm_Badtrans
  • I-Worm.Badtrans

Category: Worm

This is a program that makes copies of itself, for example from one disk drive to another, or by copying itself using email or some other transport mechanism. It may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.

Infection Length: 13312 (133Kb)

This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan horse the length represents the size of the file.

Virus Definitions: April 11, 2001

This field indicates when virus definitions that include protection for this virus were publicly available through LiveUpdate or the Intelligent Updaters.

Threat Assessment:

This is a severity rating of the virus, worm or Trojan horse. It includes the damage that this threat causes, how quickly it can spread to other computers (distribution), and how widespread the infections are known to be (wild).

Wild: High

The wild component measures the extent to which a virus is already spreading among computer users. This measurement includes the number of independent sites infected, the number of computers infected, the geographic distribution of infection, the ability of current technology to combat the threat, and the complexity of the virus.

Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy

Damage: Medium

The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.

Payload: Large scale e-mailing: It replies to all unread messages in the message folders within the default MAPI email program.
Compromises security settings: It drops a backdoor Trojan.

Distribution: High

This component measures how quickly a threat is able to spread itself.

Technical description:

When the worm is executed, it drops the backdoor Trojan Hkk32.exe in the \Windows folder, and then executes it. It then copies itself into the Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays the following message:

The next time that the computer is rebooted, the worm will wait for 5 minutes, then it will use MAPI to find all unread email messages and reply to all of them. The worm will attach itself to the email, using one of the following file names:


Removal instructions:

Because [email protected] affects different operating systems in different ways, how you remove this worm depends on your operating system. Follow the instructions in the order given.

  1. To remove the worm:
    • Run LiveUpdate to make sure that you have the most recent virus definitions.
    • Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
    • Delete any files detected as [email protected] What you do next depends on whether NAV was able to delete files that it detected as infected with [email protected]:

      • If NAV was able to delete all files that it detected as infected, do one of the following:
      • If you are using Windows 95/98/Me, skip to the section To edit the Win.ini file.
      • If you are using Windows NT/2000, and NAV was able to delete all infected files, you are finished.
      • If NAV was not able to delete all files that it detected as infected, go on to the next section and see the instructions for your operating system:

  2. How to remove files that cannot be deleted by NAV
  3. Follow the instructions for your operating system only if NAV could not delete files that it detected as infected, [email protected]

    • Windows 95/98/Me:
      1. . Restart the computer in Safe mode. For instructions on how to restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode.
      2. Run the scan again and delete any files detected as [email protected]
      3. When the scan is finished, go on to the section To edit the Win.ini file.

    • Windows NT with FAT32/FAT16:
      1. Restart the computer in VGA mode and run the scan again. For instructions on how to do this, see the document How to set up standard VGA mode in Windows 9x/Me/NT 4.0/2000.
      2. Delete any files detected as [email protected]
      3. Restart the computer to complete the removal procedure.

    • Windows 2000 with FAT32/FAT16:
      1. Restart the computer in Safe mode. For instructions on how to restart in Safe mode, see the document How to start Windows 2000 in Safe Mode.
      2. Run the scan again and delete any files detected as [email protected]
      3. Restart the computer to complete the removal procedure.

    • Windows NT/2000 with NTFS:
    • Removal on Windows NT/2000 with NTFS is a bit more complex, as you first must edit the registry.
    • CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified.

      Please see the document How to back up the Windows registry before proceeding. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

      1. Click Start, and then click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the following subkey:


      4. In the right pane, delete the following value:

        Kernel32 KERN32.EXE
      5. Navigate to the following subkey:

        HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

      6. In the right pane, delete the following value:

        run \Inetd.exe
      7. Exit the Registry editor.
      8. Restart the computer.
      9. Run the scan again and delete any files detected as [email protected] This completes the removal procedure for users of Windows NT/2000 with NTFS

To edit the Win.ini file:

If you are running Windows 95/98/Me, you must also do the following:

  • Click Start, and then click Run.
  • Type the following and then click OK:

    edit c:\windows\win.ini

    NOTE: If you have installed Windows to a different location, make the appropriate substitution.

  • In the [windows] section, locate the run= line. It will look similar to the following: run=c:\windows\inetd.exe
  • Remove the text to the right of the = sign, so that the line now reads: run=
  • Save your changes and exit the System Configuration Editor.
  • Write-up by: Peter Ferrie

    Special thanks goes out to The Symantec Security Updates Site. The preceeding article can be found at:[email protected]

    Please visit the Symantec Site at:

    for more information .

    A minor bug could cause global e-mail communications chaos

    Cambridge, United Kingdom, April 12, 2001 - Kaspersky Labs, an international data-security software-development company, warns computer users about the discovery "in-the-wild" of the new multi-component Internet-worm "Badtrans.

    The worm infects computers running the Windows 95/98/ME/NT/2000 operating system. "Badtrans" is a Win32 executable file (PE EXE file) found "in-the-wild" in compressed form, and is about 13Kb in size. Being decompressed, the worm's size increases to about 40Kb.

    The worm has a multi-component structure, and consists of three different components that are dropped on a disk as different files and are run as stand-alone programs (dropper component, e-mail worm and a Trojan). The worm routine is the main component, keeping the Trojan program body in its code and installing it into the system while infecting a new machine. The Trojan component enables a remote user to perform unauthorized control over the infected system and steal confidential information.

    "Badtrans" arrives as an e-mail message with an attached file with a name randomly selected from the name list, and contains the text: "Take a look to the attachment" in the message body.

    In addition to stealing confidential information, the worm's other danger is its ability to paralyze the data transmission channels. Because of a minor bug, it may send out its copy to every single unread message in the inbox folder, even if it has been received from another infected computer.

    For example, a worm at computer "A" detects an unanswered message in the inbox folder received from infected computer "B," and sends its copy there. In turn, computer "B" receives an infected message and answers back and so on, reminiscent of the well-known ping-pong game where players try throwing a ball to the other part of the field. As a result, data traffic between two infected computers increases a thousand-fold, and in just one hour, the worm can deliver literally thousands of infected messages.

    Protection against the "Badtrans" worm has already been added to the KasperskyTM Anti-Virus virus signature database. Please update your Kaspersky Anti-Virus using the built-in updater or manually from

    More details about the worm are available in the Kaspersky Virus Encyclopedia:

    BadTrans virus fizzles on Good Friday
    By Robert Lemos

    Special to CNET
    April 13, 2001, 11:50 a.m. PT

    A virus that monitors a PC's network connections and sends itself in response to any incoming e-mail has apparently failed to spread, despite, or because of, warnings issued by several major antivirus software makers.

    "We initially gave it a medium rating, but we expect to downgrade that today," Susan Orbuch, spokeswoman for antivirus company Trend Micro, said Friday.

    Though several of Trend Micro's customers reported receiving e-mailed copies of the virus, only three companies were actually infected, Orbuch said.

    The mass-mailing worm, known as W32/BadTrans, appears attached to an e-mail message either as a screensaver (.scr) or Windows shortcut (.pif) file, with any one of a variety of names, including Card, docs, hamster, humor and 12 others.

    If opened, the worm first displays a dialog box titled, "WinZip Self-eXtractor," which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." Then the worm will install a backdoor program, compromising the computer's security, and mail the victim's IP address to the virus writer.

    The worm also replies to all incoming e-mail messages, attaching itself to the outgoing message. The new message will have the same subject line and message body as the original e-mail, and the sender will be the victim's username.

    While it has some of the makings of a successful mass-mailer, BadTrans has effectively fizzled out, said Vincent Gullotto, director of Network Associates' antivirus emergency response team.

    On Thursday the company received only 10 reports of the worm, he said. "There is a possibility that it was a bit more prevalent in the U.K. and Europe," he said. "But we consider it to be a low threat."

    Symantec's Web site rated the virus as a 3 out of 5, with less than 50 infections to date.

    The failure of the virus to spread may not mean that people are getting smarter in the use of e-mail. >{? According to Trend Micro's research team, the virus had several technical problems.

    "Not every version of the virus is working," said Trend Micro's Orbuch.

    In addition, an attempt by the virus writer to make the worm not respond to e-mails from other infected computers was flawed. Two or more infected computers in a company result in a spam war of messages bouncing back and forth, which makes the worm extremely visible, Orbuch said.


    Useful Links:

    Symantec Downloads
    Symantec Security Up-dates
    Gullibility Virus Warning

    Hoaxes and Warnings:

    Symantec Security Updates = Hoaxes
    McAfee's Virus Hoaxes
    Hoax warnings

    For Discussions concerning Viruses:

    [email protected]
    [email protected]/

    Back to the index page