Me, nude? Hey, waitaminute...this is a Mac!??

This is a Macintosh. The W32 BadTrans virus/worm is not supposed to be able to infect me, right?

So I get an email with the subject “Re:”, open it (in Eudora, not Outlook, btw), it has NO CONTENT, and when I click the button to show all details and headers learn that it has automatically downloaded a file called “Me_nude.MP3.scr”, which rings a bell.

Yep, a quick trip to the Norton website tells me the file is the BadTrans. No mention of it doing evil things on a Mac.

I go to the file itself. BBEdit doesn’t want to open it, which is very unusual. I do a Get Info, wondering if it is incredibly huge. I learn that it is only 32K but, more shocking, it has a Mac file type and creator! “WAVE” and “SNdm” respectively. Of course, browser prefs and Internet Control Panel settings and File Exchange Control Panel settings will routinely assign Mac type and creator codes to common PC files with known extensions, but I check and find that, if anything, “.scr” files should be assigned to GraphicConverter (GKON) and type “RIX3”, whatever the heck that might be…

I fire up Sherlock and search for all files of Creator Code “SNdm” and it comes back with one hit: Me_nude.MP3.scr. OK…I fire up the old Type & Creator codes database and learn that SNdm is owned by SoundMachine 2.5.1, which I don’t own. Well, that fits with “.scr” becoming a “WAVE” file type, I guess…

But why didn’t the attachment appear inline, waiting for me to choose to download it if I wanted to, instead of, somehow, placing itself at the root of my current startup volume?

::cue Twilight Zone music::

Anyone hear anything about a version of this ugly compiled to execute on a Mac?

For what it’s worth, I’ve picked up a few of the mysterious attachments due to PC viruses with Eudora on my mac as well. .exe files that downloaded without queuing, and squirrelled themselves away, but didn’t appear to do any harm.

I can’t remember the name of the particular virus that caused this, but Norton AntiVirus cleaned it off the PC of the friend who was infected originally, and the Norton site contained no info on the same virus being able to hit macs.

My very uneducated guess would be that the viruses are able to recognize Eudora across platforms, hence the mysterious download, but unable to do anything once they’ve made themselves at home.

-ellis

That makes sense. The unwanted download itself is a bug in Eudora, and apparently the Mac Eudora is close enough to the Microsoft Eudora they share security holes. But executables are specific to the OS (knowing that somewhere, somehow, there is an exception and that I will be informed of it … I love this place! :)) and aren’t portable without rewrites. So, as ellis555 said, once the executable is in place, it’s impotent.

So to speak …

:smiley:

(Before anyone calls me on it, I know that Windows 95 and Windows ME (for example) are different OSs, with different underlying code (16 bit vs. 32 bit, right?), and that the same applications run on both (sometimes). I’m just saying that you can’t take Microsoft programs and expect them to run on a Macintosh machine or a Linux machine or an OS/2 machine or a PDP machine or those VAXen :smiley: … )

No, no, no. You’re thinking of the difference between Win95 and WinXP. Windows 95, 98 and ME are built from the same craptacular base code with DOS in the core. But other respects, the rest of that paragraph stands true, except I don’t expect Microsoft program to run on this Windows machine, either. (Or at least compentently.) It’s universal in that regard.

.SCR indicates a screen saver file, which can contain a .WAV file as part of it. That may be why your Mac is calling it a .WAV. The SoundMachine file may also be embedded in the screen saver. Your Mac, which looks at the files and not the extensions, probably sees these.

I don’t know about Badtrans, but a lot of viruses take an existing file and embed their code. It’s possible that it took someone’s screen saver file as a building block.

I just got the same thing yesterday (from someone on one of the NetBSD mailing lists) and I have the same setup as you.
I wouldn’t worry about catching it. The virus is in a Windows Screen Saver file so there’s now way it could infect you.
As for why it ends up in weird places (for me it was in the Trash), I haven’t a clue.

[QUOTE]
*Originally posted by RealityChuck *
**

SoundMachine is an older sound player (wav, au, etc) for the Mac.

Damn. I thought the removal of a good MS-DOS emulation meant the death of the MS-DOS codebase.

And need I say that I agree with you?

:smiley:

A Badtrans message is specially constructed so that it is supposed to run without user intervention on a Windows computer.

It uses an IFRAME tag in the HTML part of the message, which tells Internet Explorer to view the attachment. Normally there is supposed to be a warning before opening an executable file, but the MIME type on the attachment is set to
“Content-Type: audio/x-wav;”
This fools Internet Explorer into thinking the attachment is a safe audio file, and the file is opened without user intervention.

Your Eudora is obviously seeing the spoofed Content-Type, and is setting the type and creator to the correct values for WAVE files.

Oh, and there’s nothing screen-saver specific about Badtrans.b; it can also send itself out as a .EXE or .PIF file. And there’s no WAV file inside either.

It is times like this that Mac/Eudora users get to laugh at Windows/OE users. The Mac is immune to this virus. This is not a computer virus, it is a PC-specific Microsoft Outlook Express virus. There is no vector on the Mac that this virus can use to infect a Mac (unless you download it in Virtual PC).

Badtrans must be going around recently. I was downloading a file, and luckily, I have Norton AV, which caught the virus in the file immediately, even before the file finished downloading. It was badtrans, but never got a chance to activate.