Worm_badtrans.b

INFO from www.antirivus.com


WORM_BADTRANS.B
Risk rating:
Virus type: Worm
Destructive: No

Aliases:
W32/Badtrans-B, BADTRANS.B, W32/[email protected], [email protected]

Description:
This memory-resident Internet worm is a variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key Logger component, and arrives with randomly selected double-extension filenames.

It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This is also known as Automatic Execution of Embedded MIME type.

Solution:


Delete the %System%\CP_25389.NLS file.
Click Start>Run, type Regedit then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
In the right panel, look for following registry value:
kernel32
Click the registry value and then Delete it.
Restart your system.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

In the wild: No
Payload 1: Others (executes a key logger program)
Trigger condition 1: Upon execution
Payload 2: Others (compromises network security)
Trigger condition 2: Upon execution
Payload 3: Others (steals passwords)
Trigger condition 3: Upon execution
Discovered: November 24, 2001
Detection available: November 24, 2001
Detected by pattern file#: 170 or 970
(note about pattern numbering)
Detected by scan engine#: 5.200
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 29,020 Bytes

Details:
Infection:
Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.

Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions:

“GetData”
“KeyLogOn”
“KeyLogOff”
“KeyLogOpt”
It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords.

A sample of a keylogger entry is as follows:

Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"

Title: "Run", 06:41:04
cmd.exe

Title: "Untitled - Notepad", 06:41:13
Testing keylogging in notepad.

Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = “kernel32.exe”

To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
Mail Distribution Routine:
The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the “*.HT ” and “.ASP” files. To do this, the worm searches for the files located in the directory specified in the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)

Email Details:
The mail contains no message and the headers may contain the following bogus information:
From: (this is randomly selected from the following list)
" Anna" <[email protected]>
"JUDY" <[email protected]>
"Rita Tulliani" <[email protected]>
"Tina" <[email protected]>
"Kelly Andersen" <[email protected]>
" Andy" <[email protected]>
"Linda" <[email protected]>
"Mon S" <[email protected]>
"Joanna" <[email protected]>
"JESSICA BENAVIDES" <[email protected]>
" Administrator" <[email protected]>
" Admin" <[email protected]>
"Support" <[email protected]>
"Monika Prado" <[email protected]>
"Mary L. Adams" <[email protected]>
Subject: (this is randomly selected from the following list)
"info"
"docs"
"Humor"
"fun"
Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)

Basename:
"Pics"
"images"
"README"
"New_Napster_Site"
"news_doc"
"HAMSTER"
"YOU_are_FAT!"
"stuff"
"SETUP"
"Card"
"Me_nude"
"Sorry_about_yesterday"

First Extension:
".DOC."
".ZIP."
".MP3."

Second Extension:
"scr"
"pif"

The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\0000000
SMTP Email Address
SMTP Server

Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:."


Description created: November 24, 2001
Description updated: 23 hours 33 minutes ago
(November 25, 2001 6:25:14 PM GMT -0800)

 

Thank you for the information. This the first time a worm has hit me. I will follow the instructions to get it out of my machine.

 

Virus Scan found two infected files: C:\WINDOWS\SYSTEM\kernel32.exe C:\WINDOWS\SYSTEM\kdll.dll
Both of these files were being used by the Windows system so they could not be deleted from within Windows. I shut down and reopened in DOS, went to dir system and del (the files). Shut down and reopened in windows and a rerun of the virus scan says all is well.

Thanks for your help.

 

you're very welcome

Savvy

 

This one is sure hitting hard & fast

 

Apparently you do not have to open the attachment for it to infect your computer - just leave it unread for a while and it jumps in.

 

Yep... thats what it says & doesn't need to be an attachment either.
This is a nasty one & I just got it...
an e-mail came & a notepad message opened automatically... said this This file: "Unknown06c4.data" was infected with the: "[email protected]" virus.

The file was quarantined by Norton AntiVirus. Wednesday, November 28, 2001 16:36



Savvy

 

Savvy
Question about this new virus. You said you were infected by it since Norton quarantined the file. Was it able to get by Nortons initial defense using e-mail protect or is that where it was caught?
Dave

 

I came across this paper describing how to remove Badtrans files.

I suspect it will come in handy here and there:

For WINDOWS 95/98/ME:

Restart Windows in Safe Mode (reboot your computer, as soon as you see the text Starting Windows at the bottom of the screen, hit the F5 key).

Find the following files, if present, and delete them:
In your Windows folder: INETD.EXE

In your Windows\System folder:
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL

Now go to Start/Run, and type Regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Click 'RunOnce' once, in order to highlight it.
Now find the value 'Kernel32=kernel32.exe' in the right pane, highlight, and hit 'delete'.

Good luck,

 

Davey... I do not understand Nortons or how to use it . I guess I winged it ok though as it was quarantined & I tried to clean it to send on... & it was not cleanable. However it did not infect my system as it was caught that quick!! I ran a new scan & I did delete it in Nortons.
However ... H_Key directions didn't find the path Iwas instructed to go to...by my post above & tony's. ?????

I got as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows & there was no next step as CurrentVersion was not there.


Savvy

Think im going to housecalls & double check...scanning there will not take to long

 

I'm back... Im ok... no worm or virus or trojan... Housecall & Norton both say so.

I'm a happy camper now.

Savvy

 

Hi Savvy,

There always is, I can assure you, or you wouldn't be here...

Just click on the + signs and you're bound to end up finding it.

I think you skipped one step, and went to HKEY_LOCAL_MACHINE\SOFTWARE\Windows, instead of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.

Good luck,

 

Thank you.... you're absolutely right. I did skip Microsoft & I found my way this time.... Run Once had [ab] default value not set


what does that mean?


Savvy

 

Hi Savvy,

If there's nothing there except 'default - value not set', that means you have no entry in your RunOnce key, which in turn means that you don't have the BadTrans entry there either.

So good news there!

Cheers,

 

well at last good news..lol

Thanks again Tony