-Caveat Lector-
----- Original Message -----
From: "Michael Pugliese" <[EMAIL PROTECTED]>
To: "Adam Richmond" <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 9:21 AM
Subject: BadTrans Worm
> Dummy me opened an attachment that was advertised as a MP3, my
> antivirurus program zapped it. I think!
> Needless to say, don't open any attachments "from me".
> Michael Pugliese
>
> Contains signature of Worm/BadTrans.2
> File was destroyed by virus!
> WAS DELETED!
> C:\WINDOWS\OPTIONS\CABS
> WIN98_24.CAB
> ArchiveType: CAB (Microsoft)
> NOTE! The archive is created by multiple volumes
> WIN98_25.CAB
> ArchiveType: CAB (Microsoft)
> NOTE! The archive is created by multiple volumes
>
> End of scan: 31.05.2001 08:52
> Time taken: 19:54 min
>
>
> 946 directories were scanned
> 14016 files were scanned
> 2 warning messages were issued
> 1 file was deleted
> 0 viruses were removed
> 1 virus was found
>
http://support.avx.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_sid=QIm
>
7EqOf&p_lva=&p_refno=010412-000008&p_created=987090805&p_sp=cF9ncmlkc29ydD0m
>
cF9yb3dfY250PTUyJnBfc2VhcmNoX3RleHQ9JnBfc2VhcmNoX3R5cGU9MyZwX3Byb2RfbHZsMT1_
> YW55fiZwX2NhdF9sdmwxPTQmcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=
> Manually removing an infection from your computer can put your data at
risk
> for damage that may or may not be recoverable. Central Command strongly
> recommends that you backup all of your data prior to attempting to remove
an
> infection or repair any damage causes by an infection.
>
>
> Details:
> ----------
>
> Name: I-Worm.Badtrans
> Alias: W32.Badtrans.13312@mm
> Detection added : April 12, 2001
> Spread Method : Via E-Mail (A copy of the worm will be sent as a reply
> message to all unread emails in the users Inbox folder)
>
>
> Description:
> ------------
>
> Worm part:
> -------------
>
> When the attachment is executed the worm drops the trojan "hkk32.exe" into
> the Windows folder and executes itself. A copy of worm is created under
the
> file name inetd.exe in Windows folder. The following line is added to
> "win.ini" in [windows] section: run=c:\windows\inetd.exe.
>
> This line actually runs the worm every time windows load. After it
finishes
> running its rountine, the worm will display the following error box:
>
>
>
> The worm will arrive with one of the following filenames:
>
> New_Napster_Site.DOC.scr
> Pics.ZIP.scr
> images.pif
> README.TXT.pif
> news_doc.scr
> searchURL.scr
> SETUP.pif
> Card.pif
> hamster.ZIP.scr
> YOU_are_FAT!.TXT.pif
> Me_nude.AVI.pif
> Sorry_about_yesterday.DOC.pif
> s3msong.MP3.pif
> Humor.TXT.pif
> fun.pif
> docs.scr
>
> It will also add, to the original message, the following line:
> "Take a look to the attachment"
>
>
> Trojan part:
> --------------
>
> The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This trojan drops a
> file called hksdll.dll used later as hook component to intercept pressed
> keys. A copy of the worm called kern32.exe is created in Windows folder
and
> the original file hkk32.exe is deleted.
>
> It also add the following key to registry in order to be executed every
time
> windows loads:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> kernel32 = c:\windows\system\kern32.exe
>
> It sends information from infected computers to the email address:
> [EMAIL PROTECTED]
>
>
>
>
>
>
<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance—not soap-boxing—please! These are
sordid matters and 'conspiracy theory'—with its many half-truths, mis-
directions and outright frauds—is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
<A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>
http:[EMAIL PROTECTED]/
<A HREF="http:[EMAIL PROTECTED]/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
