Jim Hendee hendee at
Wed Nov 28 08:15:51 EST 2001


There have been several attempts to post the w32.badtrans virus to
coral-list over the last week, but I killed all of them.  Although the
virus used a valid subscriber's name to try to send the message to the
list, and thus theoretically it could have been circulated to all
subscribers, it was caught by me as "too big" and I saw that it was a
virus.  Thus, I have here another good example on why I restrict the size
of posted messages.  On the other hand, it is theoretically possible for a
small virus to get past the size restriction.  You should therefore, if
possible, look at the file extension of attached messages that look
suspicious (e.g., *.exe).

Finally, I just wanted to remind you that I zealously guard the list so
that nobody gets it.  I think the fact that all subscribers do not get
regularly bombed by junk mailers and virulent malcontents exhibits the
fact that the dirty rotten scoundrels are not using coral-list as their
source.  As I mentioned before, though, it is possible that some
enterprising (and desperate) knucklehead could gain access to emails by
cruising through the coral-list archives.  We may try to come up with a
way to protect this in the future.

Take care, and remember to backup your files regularly!


On Tue, 27 Nov 2001, McCarty and Peters wrote:

> Frank et al.,
> Thanks for confirming that someone else has been hit.  We suffered no
> damage here, but did wonder about several recently received messages.
> For those on the list who wish to learn more about this worm, go to:
> to see its effects and how to get rid of it.
> >> The attached virus-file was identified as setup.exe.rdc<<
> Actually, its a worm called w32.badtrans.
> >>  and sender is called Jose M. Castello (surely a false name!) <<
> On the contrary, Sr. Castello did participate on this list in the past
> month.
> One aspect of this worm is that it replies to a message which has not been
> replied to before.  In other words, if an exchange of messages ends because
> there is nothing more to say, it is possible that the worm will pick the
> last message in the thread and reply to it.
> One message that we received here had the appropriate subject line for the
> earlier exchange.
> >> I was unable to identify the email address of the sender, however, there
> are  people working on it. <<
> We had no trouble reading the addresses.  They may not be valid at this
> point, but they were certainly readable....
> <soapbox>
> At the risk of incurring the wrath of list members, I would respectively
> suggest that if you do not have virus software installed, or worse, if you
> cannot bother to keep it up to date, please do not subscribe to this list,
> or any other.  
> Yes, there are undoubtedly some "starving students" who subscribe to the
> list, as well as participants from outside the US for whom virus software
> is a relative luxury.  However, I hope that they are the minority and that
> they will be as careful as possible regarding viruses.  Many of us on this
> list will gladly offer concrete suggestions for taking such care, if asked.
> </soapbox>
> To Jim Hendee and the list operators, this worm came to light only
> recently.  However, Norton responded with new virus definitions within 1
> day, despite the holiday.  I'm sure that other AV software companies did
> the same.  We all need to pay attention.  I hope that no one else
> experienced anything more than a minor annoyance.  If not, check the URL
> above for instructions on how to remove the virus.
> Yours for safer computing,
> Chip McCarty
> ~~~~~~~
> For directions on subscribing and unsubscribing to coral-list or the
> digests, please visit, click on Popular on the
> menu bar, then click on Coral-List Listserver.

For directions on subscribing and unsubscribing to coral-list or the
digests, please visit, click on Popular on the
menu bar, then click on Coral-List Listserver.

More information about the Coral-list-old mailing list