{ brad brace } on Thu, 12 Jul 2001 02:09:22 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] Badtrans virus



> By Ken Dunham ([email protected])
> ------------------------------------------------------------------------
> Common Names: BadTrans
> Aliases: I-Worm.Badtrans, IWorm_Badtrans,
> W32/Badtrans@MM, Backdoor-NK.svr, W32.Badtrans.13312@mm,
> W32/Badtrans-A, TROJ_BADTRANS.A
> Variants: N/A
> Attachments: Card.pif, docs.scr, fun.pif, hamster.ZIP.scr,
> Humor.TXT.pif, images.pif, Me_nude.AVI.pif, New_Napster_Site.DOC.scr,
> news_doc.scr, Pics.ZIP.scr, README.TXT.pif, s3msong.MP3.pif,
> searchURL.scr, SETUP.pif, Sorry_about_yesterday.DOC.pif,
> YOU_are_FAT!.TXT.pif (13Kb in size)
> NOTE: Me_nude.AVI.pif, New_Napster_Site.DOC.scr,
> Sorry_about_yesterday.DOC.pif, YOU_are_FAT!.TXT.pif are also sent out
> by MTX.
> Discovered: 04/11/2001
> Distribution: High
> Severity: Moderate to Severe (Installs Backdoor Trojan)
> Vulnerable: Windows 95/98/NT/ME/2000, Microsoft Outlook,
> Microsoft Outlook Express
> Profile Updated: 04:15 PM GMT 04/19/2001
> 
> Description
> 
> Badtrans spreads via email, installing a backdoor Trojan on affected
> systems.
> 
> 
> 
> 
> Symptoms
> 
> Presence of infected INETD.EXE and/or HKK32.EXE files in the Windows
> directory. Presence of HKSDLL.DLL, KERN32.EXE, and/or CP_23421.NLS in
> the Windows System directory. Presence of registry edits as noted
> below in the "Infection" section.
> 
> 
> Infection
> 
> Badtrans arrives as an email with an infected attachment of 13Kb
> (compressed size). Once an infected attachment is executed Badtrans
> copies itself into the Windows directory on the local machine using
> the filename INETD.EXE and drops a Trojan called HKK32.EXE in the
> same location. This Trojan is a variant of the Hooker family,
> designed to steal data from infected computers, sending information
> to the email address of [email protected].
> 
> Immediately after being dropped into the Windows directory, the
> Trojan component is executed, dropping KERN32.EXE, HKSDLL.DLL, and
> CP_23421.NLS into the Windows System directory. KERN32.EXE is a
> second copy of the Trojan component of Batrans. HKSDLL.DLL is a
> keylogger library. CP_23421.NLS is a Trojan data file used to store
> internal data. Badtrans then deletes the HKK32.EXE file in Windows
> directory.
> 
> WIN.INI, under the Windows section, is then modified under Windows
> 9.X systems with load= and run= statements to run the malware upon
> startup.
> 
> 
> [windows]
> load=
> run=C:\WINDOWS\INETD.EXE
> 
> 
> 
> The system registry is also modified under Windows NT/2000 to run the
> malware upon startup,
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
> Badtrans also attempts to register itself under the RunOnce key in
> the registry at
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
> kernel32 = kern32.exe. When installation is complete on a new system
> Badtrans displays a "Install error" message with the following text:
> 
> 
> File data corrupt:
> probably due to bad data transmission or bad disk access.
> 
> 
> 
> Once the system has been restarted, the worm component of Badtrans
> attempts to send out infected emails to other users. The worm is
> registered as a hidden service process, sleeping for about 5 minutes
> before it begins a spreading routine. Badtrans spreads much like
> Explore.zip malware, exploiting Windows MAPI function to access the
> Inbox and send out emails to all unread messages (including all new
> messages that are received). Infectious emails are sent out with the
> following data:
> 
> 
> 
> Subject: Same as the original email along with the standard "Re:" prefix.
> Body: A standard reply format to the original message along with the
> text "Take a look to the attachment."
> Attachments: Card.pif, docs.scr, fun.pif, hamster.ZIP.scr,
> Humor.TXT.pif, images.pif, Me_nude.AVI.pif, New_Napster_Site.DOC.scr,
> news_doc.scr, Pics.ZIP.scr, README.TXT.pif, s3msong.MP3.pif,
> searchURL.scr, SETUP.pif, Sorry_about_yesterday.DOC.pif,
> YOU_are_FAT!.TXT.pif
> 
> 
> *The following attachment filenames are ALSO sent out by MTX:
> Me_nude.AVI.pif, New_Napster_Site.DOC.scr,
> Sorry_about_yesterday.DOC.pif, YOU_are_FAT!.TXT.pif. Therefore,
> attachments with these filenames may have been sent legitimately, or
> from Badtrans or MTX (at the time of writing this description).
> 
> Badtrans appends two spaces to the end of the Subject line to track
> messages sent out by Badtrans. This enables Badtrans to avoid sending
> an infectious email to the same user more than once. However, some
> email servers trim out spaces at the end of Subject lines, which can
> cause this technique to fail. In this special scenario, two computers
> will continue to send messages back and forth to one another
> (looped). Additionally, Badtrans may fail to mark emails as answered,
> dependent upon various email clients, which may result in thousands
> of emails being sent out to the same address within minutes. Both
> scenarios may result in a Transport Bomb/Overload for emails servers
> attempting to process high traffic loads caused by Badtrans.
> 
> 
> Payload
> 
> May result in a Transport Bomb/Overload for emails servers. A
> backdoor Trojan component is installed on the system, which may lead
> to additional compromise of the affected system.
> 
> 
> Disinfection
> 
> Use updated antivirus software to remove this malware from an
> infected system. For manual removal of this malware consider backing
> up important files, including the registry, and following the steps
> below:
> 
> 1. Select "Run..." from the Start menu, type in regedit and press Return.
> 2. Locate and delete the keys/values added by Badtrans, as noted
> in the description above.
> 3. Select "Run..." from the Start menu, type in WIN.INI and press Return.
> 4. Locate the run= line under the Windows section, referencing
> C:\WINDOWS\INETD.EXE, and remove the information to the right of the
> = sign. When done the line should look like run=.
> 5. Restart the system.
> 6. Locate and delete INETD.EXE and/or HKK32.EXE files in the
> Windows directory and HKSDLL.DLL, KERN32.EXE, and/or CP_23421.NLS in
> the Windows System directory if present.
> 7. Delete all infected email including the Inbox, sent mail, and
> deleted items folders, and other mediums (backups, floppy disks, etc).
> 8. Make use of updated antivirus to scan and cross-check the
> manual removal of this malware.
> 
> 
> 
> 
> Resources
> 
> AVP
> http://www.avp.ch/avpve/worms/email/badtrans.stm
> 
> Central Command
> http://support.avx.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=0
> 10412-000008
> 
> F-Secure
> http://www.f-secure.com/v-descs/badtrans.shtml
> 
> McAfee
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99069
> 
> Panda Software
> http://www.pandasoftware.es/library/gusano/W32Badtrans@MM_EN_1.htm
> 
> Sophos
> http://www.sophos.com/virusinfo/analyses/w32badtransa.html
> 
> Symantec
> http://www.symantec.com/avcenter/venc/data/[email protected]
> 
> Trend Micro
> http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BADTRANS
> .A


/:b




_______________________________________________
Nettime-bold mailing list
[email protected]
http://www.nettime.org/cgi-bin/mailman/listinfo/nettime-bold