GoFuckYourself.com - Adult Webmaster Forum - View Single Post

TSB · 11-25-2001, 05:15 PM

VIRUS NAME:
W32.Badtrans.B@mm

Discovered on: November 24, 2001

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.

Type: Worm

Damage:

Payload:
Large scale e-mailing: Sends email from addresses found in the default MAPI program.

Compromises security settings: Installs keystroke logging Trojan.

Technical description:

This worm arrives as an email with one of several attachment names and a combination of two appended extensions.

The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS

The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP

The second extension that is appended to the file name is one of the following:
.pif
.scr

The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe.

Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.

2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.

11-25-2001, 05:15 PM
TSB Confirmed User Join Date: Jan 2001 Location: Guitarville Posts: 170	VIRUS NAME: W32.Badtrans.B@mm Discovered on: November 24, 2001 W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes. Type: Worm Damage: Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program. Compromises security settings: Installs keystroke logging Trojan. Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. The list of possible file names is: HUMOR DOCS S3MSONG ME_NUDE CARD SEARCHURL YOU_ARE_FAT! NEWS_DOC IMAGES PICS The first extension that is appended to the file name is one of the following: .DOC .MP3 .ZIP The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look something like this: CARD.DOC.PIF NEWS_DOC.MP3.SCR etc. When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Kernel32=kernel32.exe. Prevention methods: 1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. 2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.