----- Original Message ----- From: "Michael Pugliese" <debsian at pacbell.net> To: "Adam Richmond" <adambrichmond at yahoo.com> Sent: Thursday, May 31, 2001 9:21 AM Subject: BadTrans Worm
> Dummy me opened an attachment that was advertised as a MP3, my
> antivirurus program zapped it. I think!
> Needless to say, don't open any attachments "from me".
> Michael Pugliese
>
> Contains signature of Worm/BadTrans.2
> File was destroyed by virus!
> WAS DELETED!
> C:\WINDOWS\OPTIONS\CABS
> WIN98_24.CAB
> ArchiveType: CAB (Microsoft)
> NOTE! The archive is created by multiple volumes
> WIN98_25.CAB
> ArchiveType: CAB (Microsoft)
> NOTE! The archive is created by multiple volumes
>
> End of scan: 31.05.2001 08:52
> Time taken: 19:54 min
>
>
> 946 directories were scanned
> 14016 files were scanned
> 2 warning messages were issued
> 1 file was deleted
> 0 viruses were removed
> 1 virus was found
>
http://support.avx.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_sid=QIm
>
7EqOf&p_lva=&p_refno=010412-000008&p_created=987090805&p_sp=cF9ncmlkc29ydD0m
>
cF9yb3dfY250PTUyJnBfc2VhcmNoX3RleHQ9JnBfc2VhcmNoX3R5cGU9MyZwX3Byb2RfbHZsMT1_
> YW55fiZwX2NhdF9sdmwxPTQmcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=
> Manually removing an infection from your computer can put your data at
risk
> for damage that may or may not be recoverable. Central Command strongly
> recommends that you backup all of your data prior to attempting to remove
an
> infection or repair any damage causes by an infection.
>
>
> Details:
> ----------
>
> Name: I-Worm.Badtrans
> Alias: W32.Badtrans.13312 at mm
> Detection added : April 12, 2001
> Spread Method : Via E-Mail (A copy of the worm will be sent as a reply
> message to all unread emails in the users Inbox folder)
>
>
> Description:
> ------------
>
> Worm part:
> -------------
>
> When the attachment is executed the worm drops the trojan "hkk32.exe" into
> the Windows folder and executes itself. A copy of worm is created under
the
> file name inetd.exe in Windows folder. The following line is added to
> "win.ini" in [windows] section: run=c:\windows\inetd.exe.
>
> This line actually runs the worm every time windows load. After it
finishes
> running its rountine, the worm will display the following error box:
>
>
>
> The worm will arrive with one of the following filenames:
>
> New_Napster_Site.DOC.scr
> Pics.ZIP.scr
> images.pif
> README.TXT.pif
> news_doc.scr
> searchURL.scr
> SETUP.pif
> Card.pif
> hamster.ZIP.scr
> YOU_are_FAT!.TXT.pif
> Me_nude.AVI.pif
> Sorry_about_yesterday.DOC.pif
> s3msong.MP3.pif
> Humor.TXT.pif
> fun.pif
> docs.scr
>
> It will also add, to the original message, the following line:
> "Take a look to the attachment"
>
>
> Trojan part:
> --------------
>
> The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This trojan drops a
> file called hksdll.dll used later as hook component to intercept pressed
> keys. A copy of the worm called kern32.exe is created in Windows folder
and
> the original file hkk32.exe is deleted.
>
> It also add the following key to registry in order to be executed every
time
> windows loads:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> kernel32 = c:\windows\system\kern32.exe
>
> It sends information from infected computers to the email address:
> ld8dl1 at mailandnews.com
>
>
>
>
>
>