Mobile menu

Worm W32.Badtrans.B@mm: info and deleting instructions
Thread poster: Evert DELOOF-SYS

Evert DELOOF-SYS  Identity Verified
Belgium
Local time: 05:26
Member
English to Dutch
+ ...
Nov 28, 2001

For those of you who need to get rid of this nasty worm, here\'s some info on the subject (from Symantec - symantec.com).





W32.Badtrans.B@mm

Discovered on: November 24, 2001

Last Updated on: November 27, 2001 at 09:32:11 AM PST





Due to the increased rate of submissions, Symantec Security Response has upgraded the threat level of this worm from level 3 to level 4 as of November 26, 2001.



W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \\Windows\\System\\Kdll.dll. It uses functions from this file to log keystrokes.





Type: Worm



Infection Length: 29,020 bytes



Virus Definitions: November 24, 2001



Threat Assessment:





Wild:

High Damage:

Low Distribution:

High





Wild:



Number of infections: More than 1000

Number of sites: 3 - 9

Geographical distribution: Low

Threat containment: Easy

Removal: Easy

Damage:



Payload:

Large scale e-mailing: Uses MAPI commands to send email.

Compromises security settings: Installs keystroke logging Trojan horse.

Distribution:



Name of attachment: randomly chosen from preset list

Size of attachment: 29,020 bytes



Technical description:



This worm arrives as an email with one of several attachment names and a combination of two appended extensions. It contains a set of bits that control its behavior:



001 Log every window text

002 Encrypt keylog

004 Send log file to one of its addresses

008 Send cached passwords

010 Shut down at specified time

020 Use copyname as registry name (else kernel32)

040 Use kernel32.exe as copyname

080 Use current filename as copypath (skips 100 check)

100 Copy to %system% (else copy to %windows%)



When it is first executed, it copies itself to %System% or %Windows% as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file \\%System%\\Cp_25389.nls and drops %System%\\Kdll.dll which contains the key logging code.



NOTE: %Windows% and %System% are variables. The worm locates the \\Windows folder (by default this is C:\\Windows or C:\\Winnt) or the \\System folder (by default this is C:\\Windows\\System or C:\\Winnt\\System32) and copies itself to that location.



A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters:





LOG

PAS

REM

CON

TER

NET



These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Cyrillic versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to one of these addresses:



ZVDOHYIK@yahoo.com

udtzqccc@yahoo.com

DTCELACB@yahoo.com

I1MCH2TH@yahoo.com

WPADJQ12@yahoo.com

fjshd@rambler.ru

smr@eurosport.com

bgnd2@canada.com

muwripa@fairesuivre.com

rmxqpey@latemodels.com

eccles@ballsy.net

suck_my_prick@ijustgotfired.com

suck_my_prick4@ukr.net

thisisno_fucking_good@usa.com

S_Mentis@mail-x-change.com

YJPFJTGZ@excite.com

JGQZCD@excite.com

XHZJ3@excite.com

OZUNYLRL@excite.com

tsnlqd@excite.com

cxkawog@krovatka.net

ssdn@myrealbox.com



After 20 seconds, the worm will shut down if the appropriate control bit is set.



If RAS support is present on the computer, then the worm will wait for an active RAS connection. When one is made, with a 33% chance, the worm will search for email addresses in *.ht* and *.asp in %Personal% and Internet Explorer %Cache%. If it finds addresses in these files, then it will send mail to those addresses. The attachment name will be one of the following:



Pics

images

README

New_Napster_Site

news_doc

HAMSTER

YOU_are_FAT!

stuff

SETUP

Card

Me_nude

Sorry_about_yesterday

info

docs

Humor

fun



In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be \"Re:\". In that case, the attachment name will be one of the following:



PICS

IMAGES

README

New_Napster_Site

NEWS_DOC

HAMSTER

YOU_ARE_FAT!

SEARCHURL

SETUP

CARD

ME_NUDE

Sorry_about_yesterday

S3MSONG

DOCS

HUMOR

FUN



In all cases, the worm will append two extensions. The first will be one of the following:



.doc

.mp3

.zip



The second extension that is appended to the file name is one of the following:



.pif

.scr



The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr.



If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:



\"Mary L. Adams\"

\"Monika Prado\"

\"Support\"

\" Admin\"

\" Administrator\"

\"JESSICA BENAVIDES\"

\"Joanna\"

\"Mon S\"

\"Linda\"

\" Andy\"

\"Kelly Andersen\"

\"Tina\"

\"Rita Tulliani\"

\"JUDY\"

\" Anna\"



Email messages use the malformed MIME exploit to allow the attachment to execute in Microsoft Outlook without prompting. For information on this, go to:



http://www.microsoft.com/technet/security/bulletin/MS01-020.asp



The worm writes email addresses to the %System%\\Protocol.dll file to prevent multiple emails to the same person.



After sending mail, the worm adds the value



Kernel32 kernel32.exe



to the registry key



HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce



This will run the worm the next time that you start Windows.





Removal instructions:



To remove this worm, follow the instructions for your operating system.



Basic instructions



Windows 95/98/Me



1. Restart Windows in Safe Mode

2. Run Norton AntiVirus and delete all files that are detected as W32.Badtrans.B@mm.

3. Remove the value that it added to the registry.



For detailed instructions, see the sections that follow.





Windows NT/2000

1. Rename the file Kernel32.exe.

2. Remove the value added to the registry.

3. Restart the computer.

4. Run Norton AntiVirus and delete all files that are detected as W32.Badtrans.B@mm.



For detailed instructions, see the sections that follow.





Detailed instructions



To restart 95/98/Me in Safe mode:

For instructions, read the document How to restart Windows 9x or Windows Me in Safe Mode.





To Rename the file Kernel32.exe under Windows NT/2000

1. Click Start, point to Find or Search, and click Files or Folders.

2. Make sure that \"Look in\" is set to (C and that Include subfolders is checked.

3. In the \"Named\" or \"Search for...\" box, type the following:



Kernel32.exe



CAUTION: Make sure that you type the full name as shown. You must rename the Kernel32.exe file, not the legitimate Windows file Kernel32.dll



4. Click Find Now or Search Now.

5. Right-click the file that is displayed and then click Rename.

6. Rename the file to Kernel32.old and press Enter.

7. Close the Find or Search window.

8. Restart the computer.





To run Norton AntiVirus and delete detected files:



CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have already renamed the Kernel32.exe file (Windows NT/2000).



1. Run LiveUpdate to make sure that you have the most recent virus definitions.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

3. Run a full system scan.

4. Delete all files that are detected as W32.Badtrans.B@mm.



To edit the registry:



CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.



1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key:



HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce



4. In the right pane, delete the following value:



Kernel32 kernel32.exe



5. Click Registry, and then click Exit.







Additional information:



Prevention



Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.

Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted.





Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Worm W32.Badtrans.B@mm: info and deleting instructions

Advanced search






PerfectIt consistency checker
Faster Checking, Greater Accuracy

PerfectIt helps deliver error-free documents. It improves consistency, ensures quality and helps to enforce style guides. It’s a powerful tool for pro users, and comes with the assurance of a 30-day money back guarantee.

More info »
SDL MultiTerm 2015
Guarantee a unified, consistent and high-quality translation with terminology software.

SDL MultiTerm 2015 allows translators to create one central location to store and manage multilingual terminology, and with SDL MultiTerm Extract 2015 you can automatically create term lists from your existing documentation to save time.

More info »



All of ProZ.com
  • All of ProZ.com
  • Term search
  • Jobs