stephen.buckland1 at stephen.buckland1 at
Wed Nov 28 05:14:56 EST 2001

Dear Mr McCarty,

Thank you for your informative e-mail on the Badtrans virus. I, however, was not so lucky and have had a fair amount of damage on my home PC when the virus came through as a reply to a job application, as I have recently finished a MSc in GIS (yes one of those 'starving students'), while in the process of buying virus protection software off the web! 

As a way of extra information for everyone the name the e-mail was addressed from was a 'chan.mai' or a name to that affect, with the attached file having 'HAMSTER' in the name field. 

I write this to you all as an apology should the virus send an email out (although I will soon be taking my name off the list until I can sort out and delete the virus properly).

Kind regards,

Stephen Buckland.

> Frank et al.,
> Thanks for confirming that someone else has been hit.  We suffered no
> damage here, but did wonder about several recently received messages.
> For those on the list who wish to learn more about this worm, go to:
> <a href="/bti/redirect.html?<a href=avcenter/venc/data/w32.badtrans.b at mm.html" target="newLink"><a href=avcenter/venc/data/w32.badtrans.b at mm.html</a>
> to see its effects and how to get rid of it.
> >> The attached virus-file was identified as setup.exe.rdc<<
> Actually, its a worm called w32.badtrans.
> >>  and sender is called Jose M. Castello (surely a false name!) <<
> On the contrary, Sr. Castello did participate on this list in the past
> month.
> One aspect of this worm is that it replies to a message which has not been
> replied to before.  In other words, if an exchange of messages ends because
> there is nothing more to say, it is possible that the worm will pick the
> last message in the thread and reply to it.
> One message that we received here had the appropriate subject line for the
> earlier exchange.
> >> I was unable to identify the email address of the sender, however, there
> are  people working on it. <<
> We had no trouble reading the addresses.  They may not be valid at this
> point, but they were certainly readable....
> <soapbox>
> At the risk of incurring the wrath of list members, I would respectively
> suggest that if you do not have virus software installed, or worse, if you
> cannot bother to keep it up to date, please do not subscribe to this list,
> or any other.  
> Yes, there are undoubtedly some "starving students" who subscribe to the
> list, as well as participants from outside the US for whom virus software
> is a relative luxury.  However, I hope that they are the minority and that
> they will be as careful as possible regarding viruses.  Many of us on this
> list will gladly offer concrete suggestions for taking such care, if asked.
> </soapbox>
> To Jim Hendee and the list operators, this worm came to light only
> recently.  However, Norton responded with new virus definitions within 1
> day, despite the holiday.  I'm sure that other AV software companies did
> the same.  We all need to pay attention.  I hope that no one else
> experienced anything more than a minor annoyance.  If not, check the URL
> above for instructions on how to remove the virus.
> Yours for safer computing,
> Chip McCarty
> ~~~~~~~
> For directions on subscribing and unsubscribing to coral-list or the
> digests, please visit, click on Popular on the
> menu bar, then click on Coral-List Listserver.

For directions on subscribing and unsubscribing to coral-list or the
digests, please visit, click on Popular on the
menu bar, then click on Coral-List Listserver.

More information about the Coral-list-old mailing list