|
PureBytes Links
Trading Reference Links
|
At 12:40 PM 12/03/2001 -0800, you wrote:
>Hard to imagine these are all accidental.
There seems to be a lot of confusion and mis-understanding about how these
viruses work -- below is a brief description from Tech Republic on how it
operates and how to protect yourself -----
An Internet worm called BadTrans.B has been released that may chill some of
the holiday warmth. This worm spreads via e-mail and takes advantage of the
decreased wariness of the many people who expect holiday greetings to flood
their inboxes.
BadTrans.B targets Microsoft Outlook mailboxes and can steal sensitive
files and information from the users of infected machines. Although this
worm is being effectively filtered by most antivirus systems, it poses a
significant security threat to those machines that are infected.
How it works
The BadTrans.B worm variant first appeared on Nov. 23, and according to
reports, it began in Great Britain. Incidents.org reports that by Nov. 26,
the worm had already spread to 52 countries. You can track the progress of
this and other Internet threats through Messagelabs.com. BadTrans.B was up
to number two (behind SirCam) on the incident list by 12:00 P.M. EST on
Nov. 27.
This worm spreads by replying to messages contained in an infected system’s
Outlook mailbox. The timing of its release suggests that it may be
attempting to capture sensitive data that’s exposed during online shopping
sessions.
BadTrans.B propagates through e-mail attachments, which can begin with any
of the following filenames:
· Humor
· Docs
· S3msong
· Me_nude
· Card
· Searchurl
· You_are_fat!
· News_doc
· Images
As it mutates, there will probably be other names as well.
The attachments use a dual extension as part of the filename. That is, an
attachment carrying the worm might be named Humor.zip.scr, where humor
could be replaced by any of the possible names. There are also variants for
the extensions, making the number of possible file designations initially
about 60. This is just an estimate; some combinations may not be used, a
few others may not have been discovered yet, and new variants may be
released as the original worm spreads. The first extension could be .doc,
.mp3, or .zip. The second extension could be either .pif or .scr.
Besides using the compromised computer to mail itself to other targets, the
worm installs both a backdoor and keystroke logger. As a result, the worm
has the potential of being particularly dangerous because it might capture
passwords and username combinations, as well as credit card information
during the holidays when people are using their computers to place gift
orders. Since a lot of people use office computers to do their shopping,
and the keystroke captures all input, this threat could also compromise
sensitive business information, and the backdoor could lead to the theft of
business documents.
According to Network Associates, the worm spreads by using MAPI messaging
to e-mail 13,312-byte attachments. The addresses for outgoing infections
are replies to unread Outlook messages. There are reports that BadTrans
messages can contain several text versions, including a brief message
telling the recipient to look at the attachment.
Network Associates reports that when the virus is run, it displays an
Install Error message box that says, “File data corrupt: probably due to a
bad transmission or bad disk access.”
This worm installs a backdoor (Kernel32.exe) keyed to a new registry entry,
which installs the backdoor at bootup and e-mails the IP address of
infected machines. This allows someone initiating the spread of BadTrans to
download the contents of the Hksdll.dll keystroke logger file, which the
worm also installs.
Avoiding the worm
Although this worm is spreading rapidly, it isn’t rated by Symantec as
particularly dangerous. Symantec provides the following recommendation for
administrators to quickly prevent infection: “Block any e-mail with
attachments ending in .pif or .scr.” This is generally a good practice
anyway, but there are also specific comments related to this worm on the
Symantec site.
To check for infection, Symantec security specialists say that you can look
for a new copy of Kernel32.exe in the \Windows\system directory and the
following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce\Kernel32=kernel32.exe
Other security specialists report that infected systems will also contain
the Inetd.exe file, which is the actual worm.
Final word
BadTrans.B is a slight variant of what Network Associates calls
W32/BadTrans, a worm first described in the wild on April 11, 2001.
Regularly updating virus descriptions in most antivirus programs should
prevent infections by this and other variants of BadTrans.
This dangerous worm is an excellent example of how having a good antivirus
system in place can save a lot of time and money. Those who have antivirus
software and a good policy for maintaining it have largely been immune to
this virus. Those who don’t have such software or lack a good
implementation policy are suffering some major headaches because of this
little demon.
|