Worm_badtrans.b

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SavvyLady

Thread Starter
Joined
Oct 14, 2001
Messages
2,218
INFO from www.antirivus.com


WORM_BADTRANS.B
Risk rating:
Virus type: Worm
Destructive: No

Aliases:
W32/Badtrans-B, BADTRANS.B, W32/[email protected], [email protected]

Description:
This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double-extension filenames.

It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.

Solution:


Delete the %System%\CP_25389.NLS file.
Click Start>Run, type Regedit then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
In the right panel, look for following registry value:
kernel32
Click the registry value and then Delete it.
Restart your system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

In the wild: No
Payload 1: Others (executes a key logger program)
Trigger condition 1: Upon execution
Payload 2: Others (compromises network security)
Trigger condition 2: Upon execution
Payload 3: Others (steals passwords)
Trigger condition 3: Upon execution
Discovered: November 24, 2001
Detection available: November 24, 2001
Detected by pattern file#: 170 or 970
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 29,020 Bytes

Details:
Infection:
Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.

Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions:

“GetData”
“KeyLogOn”
“KeyLogOff”
“KeyLogOpt”
It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords.

A sample of a keylogger entry is as follows:

Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"

Title: "Run", 06:41:04
cmd.exe

Title: "Untitled - Notepad", 06:41:13
Testing keylogging in notepad.

Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = “kernel32.exe”

To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
Mail Distribution Routine:
The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the “*.HT ” and “.ASP” files. To do this, the worm searches for the files located in the directory specified in the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)

Email Details:
The mail contains no message and the headers may contain the following bogus information:
From: (this is randomly selected from the following list)
" Anna" <[email protected]>
"JUDY" <[email protected]>
"Rita Tulliani" <[email protected]>
"Tina" <tina082[email protected]>
"Kelly Andersen" <[email protected]>
" Andy" <[email protected]>
"Linda" <[email protected]>
"Mon S" <[email protected]>
"Joanna" <[email protected]>
"JESSICA BENAVIDES" <[email protected]>
" Administrator" <[email protected]>
" Admin" <[email protected]>
"Support" <[email protected]>
"Monika Prado" <[email protected]>
"Mary L. Adams" <[email protected]>
Subject: (this is randomly selected from the following list)
"info"
"docs"
"Humor"
"fun"
Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)

Basename:
"Pics"
"images"
"README"
"New_Napster_Site"
"news_doc"
"HAMSTER"
"YOU_are_FAT!"
"stuff"
"SETUP"
"Card"
"Me_nude"
"Sorry_about_yesterday"

First Extension:
".DOC."
".ZIP."
".MP3."

Second Extension:
"scr"
"pif"

The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\0000000
SMTP Email Address
SMTP Server

Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:."


Description created: November 24, 2001
Description updated: 23 hours 33 minutes ago
(November 25, 2001 6:25:14 PM GMT -0800)
 
Joined
Nov 26, 2001
Messages
4
Thank you for the information. This the first time a worm has hit me. I will follow the instructions to get it out of my machine.
 
Joined
Nov 26, 2001
Messages
4
Virus Scan found two infected files: C:\WINDOWS\SYSTEM\kernel32.exe C:\WINDOWS\SYSTEM\kdll.dll
Both of these files were being used by the Windows system so they could not be deleted from within Windows. I shut down and reopened in DOS, went to dir system and del (the files). Shut down and reopened in windows and a rerun of the virus scan says all is well.

Thanks for your help.
 
Joined
Nov 26, 2001
Messages
4
Apparently you do not have to open the attachment for it to infect your computer - just leave it unread for a while and it jumps in.
 

SavvyLady

Thread Starter
Joined
Oct 14, 2001
Messages
2,218
Yep... thats what it says & doesn't need to be an attachment either.
This is a nasty one & I just got it...
an e-mail came & a notepad message opened automatically... said this This file: "Unknown06c4.data" was infected with the: "[email protected]" virus.

The file was quarantined by Norton AntiVirus. Wednesday, November 28, 2001 16:36



Savvy :)
 
Joined
Feb 28, 2001
Messages
11,584
Savvy
Question about this new virus. You said you were infected by it since Norton quarantined the file. Was it able to get by Nortons initial defense using e-mail protect or is that where it was caught?
Dave
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
I came across this paper describing how to remove Badtrans files.

I suspect it will come in handy here and there:

For WINDOWS 95/98/ME:

Restart Windows in Safe Mode (reboot your computer, as soon as you see the text Starting Windows at the bottom of the screen, hit the F5 key).

Find the following files, if present, and delete them:
In your Windows folder: INETD.EXE

In your Windows\System folder:
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL

Now go to Start/Run, and type Regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Click 'RunOnce' once, in order to highlight it.
Now find the value 'Kernel32=kernel32.exe' in the right pane, highlight, and hit 'delete'.

Good luck,
 

SavvyLady

Thread Starter
Joined
Oct 14, 2001
Messages
2,218
Davey... I do not understand Nortons or how to use it . I guess I winged it ok though as it was quarantined & I tried to clean it to send on... & it was not cleanable. However it did not infect my system as it was caught that quick!! I ran a new scan & I did delete it in Nortons.
However ... H_Key directions didn't find the path Iwas instructed to go to...by my post above & tony's. ?????

Now go to Start/Run, and type Regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Click 'RunOnce' once, in order to highlight it.
Now find the value 'Kernel32=kernel32.exe' in the right pane, highlight, and hit 'delete'.
I got as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows & there was no next step as CurrentVersion was not there.


Savvy:(

Think im going to housecalls & double check...scanning there will not take to long
 

SavvyLady

Thread Starter
Joined
Oct 14, 2001
Messages
2,218
I'm back... Im ok... no worm or virus or trojan... Housecall & Norton both say so.

I'm a happy camper now.

:) Savvy :)
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392

I got as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows & there was no next step as CurrentVersion was not there.


Hi Savvy,

There always is, I can assure you, or you wouldn't be here... ;)

Just click on the + signs and you're bound to end up finding it.

I think you skipped one step, and went to HKEY_LOCAL_MACHINE\SOFTWARE\Windows, instead of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.

Good luck,
 

SavvyLady

Thread Starter
Joined
Oct 14, 2001
Messages
2,218
Thank you.... you're absolutely right. I did skip Microsoft & I found my way this time.... Run Once had [ab] default value not set


what does that mean?


Savvy
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Hi Savvy,

If there's nothing there except 'default - value not set', that means you have no entry in your RunOnce key, which in turn means that you don't have the BadTrans entry there either.

So good news there! :)

Cheers,
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top