SavvyLady
Thread Starter
- Joined
- Oct 14, 2001
- Messages
- 2,218
INFO from www.antirivus.com
WORM_BADTRANS.B
Risk rating:
Virus type: Worm
Destructive: No
Aliases:
W32/Badtrans-B, BADTRANS.B, W32/[email protected], [email protected]
Description:
This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double-extension filenames.
It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.
Solution:
Delete the %System%\CP_25389.NLS file.
Click Start>Run, type Regedit then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
In the right panel, look for following registry value:
kernel32
Click the registry value and then Delete it.
Restart your system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
In the wild: No
Payload 1: Others (executes a key logger program)
Trigger condition 1: Upon execution
Payload 2: Others (compromises network security)
Trigger condition 2: Upon execution
Payload 3: Others (steals passwords)
Trigger condition 3: Upon execution
Discovered: November 24, 2001
Detection available: November 24, 2001
Detected by pattern file#: 170 or 970
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 29,020 Bytes
Details:
Infection:
Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.
Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions:
GetData
KeyLogOn
KeyLogOff
KeyLogOpt
It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords.
A sample of a keylogger entry is as follows:
Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"
Title: "Run", 06:41:04
cmd.exe
Title: "Untitled - Notepad", 06:41:13
Testing keylogging in notepad.
Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = kernel32.exe
To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
Mail Distribution Routine:
The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the *.HT and .ASP files. To do this, the worm searches for the files located in the directory specified in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)
Email Details:
The mail contains no message and the headers may contain the following bogus information:
From: (this is randomly selected from the following list)
" Anna" <[email protected]>
"JUDY" <[email protected]>
"Rita Tulliani" <[email protected]>
"Tina" <tina082[email protected]>
"Kelly Andersen" <[email protected]>
" Andy" <[email protected]>
"Linda" <[email protected]>
"Mon S" <[email protected]>
"Joanna" <[email protected]>
"JESSICA BENAVIDES" <[email protected]>
" Administrator" <[email protected]>
" Admin" <[email protected]>
"Support" <[email protected]>
"Monika Prado" <[email protected]>
"Mary L. Adams" <[email protected]>
Subject: (this is randomly selected from the following list)
"info"
"docs"
"Humor"
"fun"
Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)
Basename:
"Pics"
"images"
"README"
"New_Napster_Site"
"news_doc"
"HAMSTER"
"YOU_are_FAT!"
"stuff"
"SETUP"
"Card"
"Me_nude"
"Sorry_about_yesterday"
First Extension:
".DOC."
".ZIP."
".MP3."
Second Extension:
"scr"
"pif"
The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\0000000
SMTP Email Address
SMTP Server
Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:."
Description created: November 24, 2001
Description updated: 23 hours 33 minutes ago
(November 25, 2001 6:25:14 PM GMT -0800)
WORM_BADTRANS.B
Risk rating:
Virus type: Worm
Destructive: No
Aliases:
W32/Badtrans-B, BADTRANS.B, W32/[email protected], [email protected]
Description:
This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double-extension filenames.
It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.
Solution:
Delete the %System%\CP_25389.NLS file.
Click Start>Run, type Regedit then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
In the right panel, look for following registry value:
kernel32
Click the registry value and then Delete it.
Restart your system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
In the wild: No
Payload 1: Others (executes a key logger program)
Trigger condition 1: Upon execution
Payload 2: Others (compromises network security)
Trigger condition 2: Upon execution
Payload 3: Others (steals passwords)
Trigger condition 3: Upon execution
Discovered: November 24, 2001
Detection available: November 24, 2001
Detected by pattern file#: 170 or 970
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 29,020 Bytes
Details:
Infection:
Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.
Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions:
GetData
KeyLogOn
KeyLogOff
KeyLogOpt
It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords.
A sample of a keylogger entry is as follows:
Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"
Title: "Run", 06:41:04
cmd.exe
Title: "Untitled - Notepad", 06:41:13
Testing keylogging in notepad.
Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = kernel32.exe
To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
Mail Distribution Routine:
The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the *.HT and .ASP files. To do this, the worm searches for the files located in the directory specified in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)
Email Details:
The mail contains no message and the headers may contain the following bogus information:
From: (this is randomly selected from the following list)
" Anna" <[email protected]>
"JUDY" <[email protected]>
"Rita Tulliani" <[email protected]>
"Tina" <tina082[email protected]>
"Kelly Andersen" <[email protected]>
" Andy" <[email protected]>
"Linda" <[email protected]>
"Mon S" <[email protected]>
"Joanna" <[email protected]>
"JESSICA BENAVIDES" <[email protected]>
" Administrator" <[email protected]>
" Admin" <[email protected]>
"Support" <[email protected]>
"Monika Prado" <[email protected]>
"Mary L. Adams" <[email protected]>
Subject: (this is randomly selected from the following list)
"info"
"docs"
"Humor"
"fun"
Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)
Basename:
"Pics"
"images"
"README"
"New_Napster_Site"
"news_doc"
"HAMSTER"
"YOU_are_FAT!"
"stuff"
"SETUP"
"Card"
"Me_nude"
"Sorry_about_yesterday"
First Extension:
".DOC."
".ZIP."
".MP3."
Second Extension:
"scr"
"pif"
The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\0000000
SMTP Email Address
SMTP Server
Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:."
Description created: November 24, 2001
Description updated: 23 hours 33 minutes ago
(November 25, 2001 6:25:14 PM GMT -0800)
