1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Worm_badtrans.b

Discussion in 'Virus & Other Malware Removal' started by SavvyLady, Nov 26, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    INFO from www.antirivus.com


    WORM_BADTRANS.B
    Risk rating:
    Virus type: Worm
    Destructive: No

    Aliases:
    W32/Badtrans-B, BADTRANS.B, W32/[email protected], [email protected]

    Description:
    This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double-extension filenames.

    It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.

    Solution:


    Delete the %System%\CP_25389.NLS file.
    Click Start>Run, type Regedit then hit the Enter key.
    Double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft
    >Windows>CurrentVersion>RunOnce
    In the right panel, look for following registry value:
    kernel32
    Click the registry value and then Delete it.
    Restart your system.
    Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

    In the wild: No
    Payload 1: Others (executes a key logger program)
    Trigger condition 1: Upon execution
    Payload 2: Others (compromises network security)
    Trigger condition 2: Upon execution
    Payload 3: Others (steals passwords)
    Trigger condition 3: Upon execution
    Discovered: November 24, 2001
    Detection available: November 24, 2001
    Detected by pattern file#: 170 or 970
    (note about pattern numbering)
    Detected by scan engine#: 5.200
    Language:
    English
    Platform: Windows
    Encrypted: No
    Size of virus: 29,020 Bytes

    Details:
    Infection:
    Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.

    Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions:

    “GetData”
    “KeyLogOn”
    “KeyLogOff”
    “KeyLogOpt”
    It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords.

    A sample of a keylogger entry is as follows:

    Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"

    Title: "Run", 06:41:04
    cmd.exe

    Title: "Untitled - Notepad", 06:41:13
    Testing keylogging in notepad.

    Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
    To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunOnce\kernel32 = “kernel32.exe”

    To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
    Mail Distribution Routine:
    The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the “*.HT ” and “.ASP” files. To do this, the worm searches for the files located in the directory specified in the following registry entries:

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)

    Email Details:
    The mail contains no message and the headers may contain the following bogus information:
    From: (this is randomly selected from the following list)
    " Anna" <[email protected]>
    "JUDY" <[email protected]>
    "Rita Tulliani" <[email protected]>
    "Tina" <[email protected]>
    "Kelly Andersen" <[email protected]>
    " Andy" <[email protected]>
    "Linda" <[email protected]>
    "Mon S" <[email protected]>
    "Joanna" <[email protected]>
    "JESSICA BENAVIDES" <[email protected]>
    " Administrator" <[email protected]>
    " Admin" <[email protected]>
    "Support" <[email protected]>
    "Monika Prado" <[email protected]>
    "Mary L. Adams" <[email protected]>
    Subject: (this is randomly selected from the following list)
    "info"
    "docs"
    "Humor"
    "fun"
    Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)

    Basename:
    "Pics"
    "images"
    "README"
    "New_Napster_Site"
    "news_doc"
    "HAMSTER"
    "YOU_are_FAT!"
    "stuff"
    "SETUP"
    "Card"
    "Me_nude"
    "Sorry_about_yesterday"

    First Extension:
    ".DOC."
    ".ZIP."
    ".MP3."

    Second Extension:
    "scr"
    "pif"

    The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\
    Internet Account Manager\Accounts\0000000
    SMTP Email Address
    SMTP Server

    Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:."


    Description created: November 24, 2001
    Description updated: 23 hours 33 minutes ago
    (November 25, 2001 6:25:14 PM GMT -0800)
     
  2. ecoscollege

    ecoscollege

    Joined:
    Nov 26, 2001
    Messages:
    4
    Thank you for the information. This the first time a worm has hit me. I will follow the instructions to get it out of my machine.
     
  3. ecoscollege

    ecoscollege

    Joined:
    Nov 26, 2001
    Messages:
    4
    Virus Scan found two infected files: C:\WINDOWS\SYSTEM\kernel32.exe C:\WINDOWS\SYSTEM\kdll.dll
    Both of these files were being used by the Windows system so they could not be deleted from within Windows. I shut down and reopened in DOS, went to dir system and del (the files). Shut down and reopened in windows and a rerun of the virus scan says all is well.

    Thanks for your help.
     
  4. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    you're very welcome

    Savvy :)
     
  5. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    This one is sure hitting hard & fast
     
  6. ecoscollege

    ecoscollege

    Joined:
    Nov 26, 2001
    Messages:
    4
    Apparently you do not have to open the attachment for it to infect your computer - just leave it unread for a while and it jumps in.
     
  7. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    Yep... thats what it says & doesn't need to be an attachment either.
    This is a nasty one & I just got it...
    an e-mail came & a notepad message opened automatically... said this This file: "Unknown06c4.data" was infected with the: "[email protected]" virus.

    The file was quarantined by Norton AntiVirus. Wednesday, November 28, 2001 16:36



    Savvy :)
     
  8. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Savvy
    Question about this new virus. You said you were infected by it since Norton quarantined the file. Was it able to get by Nortons initial defense using e-mail protect or is that where it was caught?
    Dave
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I came across this paper describing how to remove Badtrans files.

    I suspect it will come in handy here and there:

    For WINDOWS 95/98/ME:

    Restart Windows in Safe Mode (reboot your computer, as soon as you see the text Starting Windows at the bottom of the screen, hit the F5 key).

    Find the following files, if present, and delete them:
    In your Windows folder: INETD.EXE

    In your Windows\System folder:
    KERN32.EXE
    KERNEL32.EXE
    KDLL.DLL
    HKSDLL.DLL

    Now go to Start/Run, and type Regedit.
    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    Click 'RunOnce' once, in order to highlight it.
    Now find the value 'Kernel32=kernel32.exe' in the right pane, highlight, and hit 'delete'.

    Good luck,
     
  10. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    Davey... I do not understand Nortons or how to use it . I guess I winged it ok though as it was quarantined & I tried to clean it to send on... & it was not cleanable. However it did not infect my system as it was caught that quick!! I ran a new scan & I did delete it in Nortons.
    However ... H_Key directions didn't find the path Iwas instructed to go to...by my post above & tony's. ?????

    I got as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows & there was no next step as CurrentVersion was not there.


    Savvy:(

    Think im going to housecalls & double check...scanning there will not take to long
     
  11. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    I'm back... Im ok... no worm or virus or trojan... Housecall & Norton both say so.

    I'm a happy camper now.

    :) Savvy :)
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Savvy,

    There always is, I can assure you, or you wouldn't be here... ;)

    Just click on the + signs and you're bound to end up finding it.

    I think you skipped one step, and went to HKEY_LOCAL_MACHINE\SOFTWARE\Windows, instead of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.

    Good luck,
     
  13. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    Thank you.... you're absolutely right. I did skip Microsoft & I found my way this time.... Run Once had [ab] default value not set


    what does that mean?


    Savvy
     
  14. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi Savvy,

    If there's nothing there except 'default - value not set', that means you have no entry in your RunOnce key, which in turn means that you don't have the BadTrans entry there either.

    So good news there! :)

    Cheers,
     
  15. SavvyLady

    SavvyLady Thread Starter

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    well at last good news..lol

    Thanks again Tony
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/59756

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice