[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Virus Alert



PureBytes Links

Trading Reference Links

At 12:40 PM 12/03/2001 -0800, you wrote:
 >Hard to imagine these are all accidental.

There seems to be a lot of confusion and mis-understanding about how these 
viruses work -- below is a brief description from Tech Republic on how it 
operates and how to protect yourself -----

An Internet worm called BadTrans.B has been released that may chill some of 
the holiday warmth. This worm spreads via e-mail and takes advantage of the 
decreased wariness of the many people who expect holiday greetings to flood 
their inboxes.

BadTrans.B targets Microsoft Outlook mailboxes and can steal sensitive 
files and information from the users of infected machines. Although this 
worm is being effectively filtered by most antivirus systems, it poses a 
significant security threat to those machines that are infected.

How it works
The BadTrans.B worm variant first appeared on Nov. 23, and according to 
reports, it began in Great Britain. Incidents.org reports that by Nov. 26, 
the worm had already spread to 52 countries. You can track the progress of 
this and other Internet threats through Messagelabs.com. BadTrans.B was up 
to number two (behind SirCam) on the incident list by 12:00 P.M. EST on 
Nov. 27.

This worm spreads by replying to messages contained in an infected system’s 
Outlook mailbox. The timing of its release suggests that it may be 
attempting to capture sensitive data that’s exposed during online shopping 
sessions.

BadTrans.B propagates through e-mail attachments, which can begin with any 
of the following filenames:
·       Humor
·       Docs
·       S3msong
·       Me_nude
·       Card
·       Searchurl
·       You_are_fat!
·       News_doc
·       Images

As it mutates, there will probably be other names as well.

The attachments use a dual extension as part of the filename. That is, an 
attachment carrying the worm might be named Humor.zip.scr, where humor 
could be replaced by any of the possible names. There are also variants for 
the extensions, making the number of possible file designations initially 
about 60. This is just an estimate; some combinations may not be used, a 
few others may not have been discovered yet, and new variants may be 
released as the original worm spreads. The first extension could be .doc, 
.mp3, or .zip. The second extension could be either .pif or .scr.

Besides using the compromised computer to mail itself to other targets, the 
worm installs both a backdoor and keystroke logger. As a result, the worm 
has the potential of being particularly dangerous because it might capture 
passwords and username combinations, as well as credit card information 
during the holidays when people are using their computers to place gift 
orders. Since a lot of people use office computers to do their shopping, 
and the keystroke captures all input, this threat could also compromise 
sensitive business information, and the backdoor could lead to the theft of 
business documents.

According to Network Associates, the worm spreads by using MAPI messaging 
to e-mail 13,312-byte attachments. The addresses for outgoing infections 
are replies to unread Outlook messages. There are reports that BadTrans 
messages can contain several text versions, including a brief message 
telling the recipient to look at the attachment.

Network Associates reports that when the virus is run, it displays an 
Install Error message box that says, “File data corrupt: probably due to a 
bad transmission or bad disk access.”

This worm installs a backdoor (Kernel32.exe) keyed to a new registry entry, 
which installs the backdoor at bootup and e-mails the IP address of 
infected machines. This allows someone initiating the spread of BadTrans to 
download the contents of the Hksdll.dll keystroke logger file, which the 
worm also installs.

Avoiding the worm
Although this worm is spreading rapidly, it isn’t rated by Symantec as 
particularly dangerous. Symantec provides the following recommendation for 
administrators to quickly prevent infection: “Block any e-mail with 
attachments ending in .pif or .scr.” This is generally a good practice 
anyway, but there are also specific comments related to this worm on the 
Symantec site.

To check for infection, Symantec security specialists say that you can look 
for a new copy of Kernel32.exe in the \Windows\system directory and the 
following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce\Kernel32=kernel32.exe

Other security specialists report that infected systems will also contain 
the Inetd.exe file, which is the actual worm.

Final word
BadTrans.B is a slight variant of what Network Associates calls 
W32/BadTrans, a worm first described in the wild on April 11, 2001. 
Regularly updating virus descriptions in most antivirus programs should 
prevent infections by this and other variants of BadTrans.

This dangerous worm is an excellent example of how having a good antivirus 
system in place can save a lot of time and money. Those who have antivirus 
software and a good policy for maintaining it have largely been immune to 
this virus. Those who don’t have such software or lack a good 
implementation policy are suffering some major headaches because of this 
little demon.