--- Begin Message ---
Tuesday, 27 November, 2001, 12:14 GMT
BadTrans computer virus strikes
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1678000/1678578.stm
Be careful whatyou type, Badtrans could be watching
A sneaky Windows computer virus is circulating that tries to install
software that monitors what users are typing and passes it to the
malicious
program's creator.
Like many of the other computer viruses that have struck in recent
months,
BadTrans-B attempts to spread by exploiting weaknesses in Microsoft
e-mail
programs.
One anti-virus company has caught over 20,000 copies of the virus in the
last 24 hours.
The UK, Germany and US are the countries most seriously infected by the
virus.
Old holes
The BadTrans-B virus is spreading swiftly because, unlike many other
e-mail
viruses, the pernicious payload that helps it raid Microsoft Outlook
address
books does not have to be clicked on to set it off.
Simply previewing the item could cause infection. The loophole the virus
exploits was first discovered in early 2001.
"It's baffling to find that even though Microsoft secured that hole eight
months ago, many users have still not applied the patch," said Graham
Cluley
of anti-virus firm Sophos.
When the virus mails itself to the contacts in the address books it
raids,
the virus uses a subject line from an existing message to make it appear
to
be a legitimate reply.
The virus also regularly swaps the name of the attachment travelling with
it, in an attempt to conceal its pernicious payload.
BadTrans-B is a variant of the original BadTrans virus that was first
discovered in April.
BT Openworld error
As well as raiding Outlook and Outlook Express address books, the virus
also
tries to implant a hidden program that tries to send an identifying net
address to the author of the virus.
The hidden program also monitors what users are typing and the
information
it tracks could be used by a malicious hacker to steal credit card
information or passwords for websites.
Britain seems to have been hit hard by the BadTrans-B Windows virus.
Anti-virus firm Message Labs, which logs the numbers of pernicious
programs
it traps, has caught over 21,000 copies of BadTrans-B in the last 24
hours.
Over 50% of these originated in Britain.
The spread of the virus was inadvertently helped by BT Openworld, which
accidentally e-mailed a copy of the virus to its customers.
===========================
F-Secure Virus Descriptions
NAME: BadTrans.B
ALIAS: BadtransII, I-Worm.BadtransII, W95/Badtrans.B@mm
http://www.f-secure.com/v-descs/badtrs_b.shtml
Information about the original W95/Badtrans is available at:
http://www.F-Secure.com/v-descs/badtrans.shtml
Disinfection instructions for Badtrans.b worm can be found here:
http://www.europe.f-secure.com/v-descs/bt_b_dis.shtml
Badtrans.B e-mail worm has been found from several locations in Europe on
24th of November 2001. This worm sends variably named attachments which
might execute automatically when the emails are viewed.
Badtrans.B is spreading under Win32 systems. The virus sends email
messages
with infected attached files, as well as installs spying trojan component
to
steal information from infected systems.
The worm itself is Win32 executable file (PE EXE file). It was found
in-the-wild in compressed form, and has about 29Kb of size. Being
decompressed the worm file length gets about 60Kb of size.
The worm consists of two main components - Worm and Trojan. The "Worm"
component sends infected messages, the "Trojan" component sends out the
information (user's info, RAS data, cached passwords, keyboard log) from
infected computers to specified email address. It also keeps "leylogger"
program body in its code and installs it into the system while infecting
a
new machine.
Infecting the system
When an infected file is run (when a user clicks on attached file and
activates it, or if the worm gets control through IFRAME security breach)
the worm code gets control. First of all the worm drops (installs) its
components to the system and registers them in system registry.
The installed trojan file name, the target directory and registry key are
optional. They are stored in encrypted form in trojan file at the file
end.
A hacker may configure them before sending it to a victim machine, or
before
put it on a web site.
The worm also drops additional keyboard hooker (Win32 DLL file) to the
system and the uses that to spy on text entered by keyboard. The DLL file
name is optional as well.
Other optional features are:
- the worm deletes original infected file when installation is complete -
the size of keyboard log file
Spreading
To send infected messages the worm uses direct connection to SMTP server.
Victim email addresses are got by two different ways:
1. The worm scans *.HT* and *.ASP files and extracts email addresses from
there
2. The worm by using MAPI functions reads all emails from email Incoming
box,
and gets email addresses from there.
Next the worm sends infected messages. The message body has HTML format,
and
uses IFRAME breach to spawn infected attachment on vulnerable machines.
The message fields are:
From: - original sender, or fake address, randomly selected from:
" Anna" <[EMAIL PROTECTED]>
"JUDY" <[EMAIL PROTECTED]>
"Rita Tulliani" <[EMAIL PROTECTED]>
"Tina" <[EMAIL PROTECTED]>
"Kelly Andersen" <[EMAIL PROTECTED]>
" Andy" <[EMAIL PROTECTED]>
"Linda" <[EMAIL PROTECTED]>
"Mon S" <[EMAIL PROTECTED]>
"Joanna" <[EMAIL PROTECTED]>
"JESSICA BENAVIDES" <[EMAIL PROTECTED]>
" Administrator" <[EMAIL PROTECTED]>
" Admin" <[EMAIL PROTECTED]>
"Support" <[EMAIL PROTECTED]>
"Monika Prado" <[EMAIL PROTECTED]>
"Mary L. Adams" <[EMAIL PROTECTED]>
" Anna" <[EMAIL PROTECTED]>
"JUDY" <[EMAIL PROTECTED]>
"Tina" <[EMAIL PROTECTED]>
Subject: - empty, or "Re:", or "Re:" followed by original Subject from
real
Inbox messsage (see Way #2 above)
Body: - empty
Attachment: randomly selected "filename + ext1 + ext2" where filename can
be:
Pics (or PICS )
Card (or CARD)
images (or IMAGES)
Me_nude (or ME_NUDE)
README
Sorry_about_yesterday
New_Napster_Site
info
news_doc (or NEWS_DOC)
docs (or DOCS)
HAMSTER
Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!)
fun (or FUN)
stuff
SEARCHURL
SETUP
S3MSONG
First extension can be: .DOC .ZIP .MP3 Second extension can be: .scr,
.pif
For example: "info.DOC.scr"
The worm doesn't send infected messages twice to the same address. To do
that it stores all affected emails in Windows system directory in
PROTOCOL.DLL file, and checks this file content before sending a new
message.
Badtrans.B installs itself to Windows system directory with KERNEL32.EXE
name and registers it in registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Kernel32 = kernel32.exe
It drops keyboard hooker with KDLL.DLL name and sends stolen info to an
email address at Hotmail. The log info is stored in Windows system
directory
with CP_25389.NLS name.
Additional Information
The worm's attachment might execute automatically when the emails are
viewed. To do this Badtrans.B uses a known vulnerability in IE that
allows
automatic execution of an email attachment. This vulnerability is fixed
and
a patch for it is available on Microsoft site:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.as
p
The worm also drops a password stealing trogan KDLL.DLL detected by
F-Secure
Anti-Virus as 'Trojan.PSW.Hooker'.
More information on this trojan can be found from:
http://www.F-Secure.com/v-descs/hooker.shtml
F-Secure Anti-Virus detects both variants of Badtrans worm and trojan
components with the updates published on November 24, 2001 / 23:29 GMT.
[F-Secure Corporation and Kaspersky Lab, November 24th-26th, 2001]
===========================
Relaxed holiday attitudes help BadTrans worm
http://news.zdnet.co.uk/story/0,,t269-s2099905,00.html
09:07 Tuesday 27th November 2001
Robert Lemos, ZDNet US
Update: BadTrans.B continues to spread, as users mistake it for a
Christmas
letter
A new computer worm that installs hacking software on infected computers
hit
home email users and businesses this week.
Known as BadTrans.B, the worm is spreading mainly due to people's relaxed
approach to security during the holiday season, said April Goostree,
virus
research manager for computer security company McAfee.com. "The fact that
it
comes around this time makes more end-users vulnerable, because they are
expecting holiday emails," she said.
Reports of the worm, a variant of the original BadTrans virus that
started
spreading last April, started coming in Friday night. By Saturday,
Goostree
said, McAfee.com had intercepted several hundred copies of the worm. On
Sunday, reports of worm infections were coming in at a rate of three to
five
every minute.
Data provided online by email screening service UK-based MessageLabs
showed
the BadTrans virus accelerating quickly, with more than 700 infected
email
messages intercepted on Saturday and several thousand stopped on Sunday.
The numbers knocked SirCam from the No 1 slot in MessageLabs' daily
rankings
of the Top 10 bugs, a spot the persistent email worm has held for more
than
four months.
In Asia Pacific, BadTrans is proving to be less potent than last week's
resurgence of Aliz (W32.Aliz.Worm), a small, 4Kb worm that can become
active
just by previewing the infected e-mail in Microsoft Outlook.
"Badtrans is predominantly in the US and UK, and Aliz is predominantly in
Japan," observed Symantec senior South East Asia director Ross Wilson.
However, he noted that there have been more submissions about BadTrans in
Asia Pacific than for Aliz. Both worms have been upgraded to Level 4
(severe).
According to Wilson, there are no unique characteristics in the way these
worm are spreading. "It is the speed at which the worms are spreading
which
is alarming. Asians are only now realising that they need to update their
(virus) definitions weekly, and this may be the reason why the Aliz worm
is
more widespread in Asia," he explained.
Unlike the Nimda or Code Red, however, BadTrans and Aliz are easily fixed
using most vendors' antivirus software. "As such, I would expect the
incidence to start dropping off in the next two to three days once users
update their virus definitions," said Wilson.
The worm doesn't play on the holidays, however. Aside from a handful of
general names for the email attachment that spreads the worm--such as
"card"
and "pics"--the worm makes no overt connection to either Thanksgiving or
Christmas.
While Badtrans.B is not destructive, it does install a keylogger, a
program
that records what a person using the infected PC types and then sends the
information to the virus writer's e-mail address. The key-logging
program,
known as Backdoor-NK.server, focuses specifically on four software
functions
that are used by programs to allow a person to enter a password, so it
mainly records account information entered.
The FBI is reportedly using just such a program to collect the digital
keys
to suspected criminals' accounts.
A PC user will first encounter the worm as an email message--possibly
from
someone he or she knows--with an executable attachment. The worm
propagates
by sending itself as a reply to any unread messages in the person's
Outlook
mailbox. It also sends itself to email addresses culled from images of
Web
pages contained in the "My Documents" folder and the browser's cache.
The virus uses a vulnerability in Microsoft's Internet Explorer 5.01 and
5.5
to automatically execute itself on PCs that don't have a patched Web
browser. Opening the email in a separate window or Outlook's preview pane
will cause the worm to execute on unpatched machines.
The vulnerability had also been used by the Nimda worm as one of its four
ways of spreading.
"That's the vulnerability du jour," said Roger Thompson, lead antivirus
researcher for security firm TruSecure.
On PCs with patched Web browsers, a dialog box will open, asking the
person
what to do.
While many home consumers got hit with the worm over the weekend,
Thompson
fears that corporations will start feeling the sting Monday.
"My main worry was that it was going so strongly over the weekend; what's
going to happen when people come to work?" he said. "I don't think as
many
corporations are getting are patched as we might have expected."
"It looks like the worm is gestating in the fertile ground of the
home-user
base. But corporate users will be coming into work (Monday) and setting
it
off on business networks," added Mark Sunner, chief technology officer at
MessageLabs.
Staff writers Michelle Tan and Wendy McAuliffe reported from Singapore
and
London.
===========================
W32.Badtrans.B@mm
http:[EMAIL PROTECTED]
Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 09:32:11 AM PST
Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
November 26, 2001.
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different
file
names. It also creates the file \Windows\System\Kdll.dll. It uses
functions
from this file to log keystrokes.
Type: Worm
Infection Length: 29,020 bytes
Virus Definitions: November 24, 2001
Threat Assessment:
Wild:
High Damage:
Low Distribution:
High
Wild:
Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.
Distribution:
Name of attachment: randomly chosen from preset list
Size of attachment: 29,020 bytes
Technical description:
This worm arrives as an email with one of several attachment names and a
combination of two appended extensions. It contains a set of bits that
control its behavior:
001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)
When it is first executed, it copies itself to %System% or %Windows% as
Kernel32.exe, based on the control bits. Then it registers itself as a
service process (Windows 9x/Me only). It creates the key log file
\%System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key
logging code.
NOTE: %Windows% and %System% are variables. The worm locates the \Windows
folder (by default this is C:\Windows or C:\Winnt) or the \System folder
(by
default this is C:\Windows\System or C:\Winnt\System32) and copies itself
to
that location.
A timer is used to examine the currently open window once per second, and
to
check for a window title that contains any of the following as the first
three characters:
LOG
PAS
REM
CON
TER
NET
These texts form the start of the words LOGon, PASsword, REMote,
CONnection,
TERminal, NETwork. There are also Cyrillic versions of these same words
in
the list. If any of these words are found, then the key logging is
enabled
for 60 seconds. Every 30 seconds, the log file and the cached passwords
are
sent to one of these addresses:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
After 20 seconds, the worm will shut down if the appropriate control bit
is
set.
If RAS support is present on the computer, then the worm will wait for an
active RAS connection. When one is made, with a 33% chance, the worm will
search for email addresses in *.ht* and *.asp in %Personal% and Internet
Explorer %Cache%. If it finds addresses in these files, then it will send
mail to those addresses. The attachment name will be one of the
following:
Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun
In all cases, MAPI will also be used to find unread mail to which the
worm
will reply. The subject will be "Re:". In that case, the attachment name
will be one of the following:
PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN
In all cases, the worm will append two extensions. The first will be one
of
the following:
.doc
.mp3
.zip
The second extension that is appended to the file name is one of the
following:
.pif
.scr
The resulting file name would look similar to CARD.Doc.pif or
NEWS_DOC.mp3.scr.
If SMTP information can be found on the computer, then it will be used
for
the From: field. Otherwise, the From: field will be one of these:
"Mary L. Adams" <[EMAIL PROTECTED]>
"Monika Prado" <[EMAIL PROTECTED]>
"Support" <[EMAIL PROTECTED]>
" Admin" <[EMAIL PROTECTED]>
" Administrator" <[EMAIL PROTECTED]>
"JESSICA BENAVIDES" <[EMAIL PROTECTED]>
"Joanna" <[EMAIL PROTECTED]>
"Mon S" <[EMAIL PROTECTED]>
"Linda" <[EMAIL PROTECTED]>
" Andy" <[EMAIL PROTECTED]>
"Kelly Andersen" <[EMAIL PROTECTED]>
"Tina" <[EMAIL PROTECTED]>
"Rita Tulliani" <[EMAIL PROTECTED]>
"JUDY" <[EMAIL PROTECTED]>
" Anna" <[EMAIL PROTECTED]>
Email messages use the malformed MIME exploit to allow the attachment to
execute in Microsoft Outlook without prompting. For information on this,
go
to:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm writes email addresses to the %System%\Protocol.dll file to
prevent
multiple emails to the same person.
After sending mail, the worm adds the value
Kernel32 kernel32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This will run the worm the next time that you start Windows.
Removal instructions:
To remove this worm, follow the instructions for your operating system.
Basic instructions
Windows 95/98/Me
1. Restart Windows in Safe Mode
2. Run Norton AntiVirus and delete all files that are detected as
W32.Badtrans.B@mm.
3. Remove the value that it added to the registry.
For detailed instructions, see the sections that follow.
Windows NT/2000
1. Rename the file Kernel32.exe.
2. Remove the value added to the registry.
3. Restart the computer.
4. Run Norton AntiVirus and delete all files that are detected as
W32.Badtrans.B@mm.
For detailed instructions, see the sections that follow.
Detailed instructions
To restart 95/98/Me in Safe mode:
For instructions, read the document How to restart Windows 9x or Windows
Me
in Safe Mode.
To Rename the file Kernel32.exe under Windows NT/2000
1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
checked.
3. In the "Named" or "Search for..." box, type the following:
Kernel32.exe
CAUTION: Make sure that you type the full name as shown. You must rename
the
Kernel32.exe file, not the legitimate Windows file Kernel32.dll
4. Click Find Now or Search Now.
5. Right-click the file that is displayed and then click Rename.
6. Rename the file to Kernel32.old and press Enter.
7. Close the Find or Search window.
8. Restart the computer.
To run Norton AntiVirus and delete detected files:
CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have
already renamed the Kernel32.exe file (Windows NT/2000).
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How
to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as [EMAIL PROTECTED] edit the
registry:
CAUTION: We strongly recommend that you back up the system registry
before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up
the
Windows registry before you proceed. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541)
984-2490,
select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
4. In the right pane, delete the following value:
Kernel32 kernel32.exe
5. Click Registry, and then click Exit.
Additional information:
Prevention
Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted.
Write-up by: Peter Ferrie
---
FYI: This mail sent by Mario Profaca is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.303 / Virus Database: 164 - Release Date: 24. 11. 01
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Stop Smoking Now
Nicotrol will help
http://us.click.yahoo.com/2vN8tD/_pSDAA/ySSFAA/TySplB/TM
---------------------------------------------------------------------~->
==============================================
SPY NEWS is OSINT newsletter
and discussion list associated to
Mario's Cyberspace Station
http://mprofaca.cro.net/mainmenu.html
==============================================
*** NOTICE: In accordance with Title 17 U.S.C.
Section 107, this material is distributed
without profit to SPYNEWS eGroup members
who have expressed a prior interest in receiving
the included information for non-profit research
and educational purposes only.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------------------------------
SPY NEWS home page:
http://groups.yahoo.com/group/spynews
To change your subscription mode to Daily Digest
(one message a day) send a blank message:
mailto:[EMAIL PROTECTED]
Please note that replying to THIS e-mail
will not remove you from the mailing list.
To unsubscribe SPYNEWS send a blank message:
mailto:[EMAIL PROTECTED]
Mario Profaca, independent journalist,
SPY NEWS eGroup list owner, editor
& moderator, is a member of of the
Committee of Concerned Journalists,
an initiative administered through
the offices of the Project for
Excellence in Journalism in Washington, D.C.
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
--- End Message ---
