| Name | Win32.BadtransII |
| Threat Level |  |
| Alias | W32/Badtrans-B, BADTRANS.B, WORM_BADTRANS.B, W32/Badtrans@MM, W32.Badtrans.B@mm, W32/BadTrans.B-mm, Win32.Badtrans.dll |
| Date | 27 November, 2001 |
| Type | Win32, Trojan, Worm |
| Damage | Steal information, Other |
| Platform | 95, 98, ME, NT, 2000 |
| Analysis |
Win32.BadTransII is an email spreading vandal which attempts to install a spying keystroke logger on infected machines and tries to steal access passwords to connections. When arriving by email this vandal run automatically by using an Outlook Express exploit known as the X-WAV exploit.
More information about this exploit and a patch is available form Microsoft.
eSafe products proactively protect against this exploit even without a vandal/virus update
Infection
The arriving email will have a the following format:
Subject: random words out of the following list: Humor, fun, docs, info
Body: No body text
Attached file: random attached file name with a double extension.
The list of possible names:
Pics
images
New_Napster_Site
README
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
news_doc
HAMSTER
YOU_are_FAT!
The first file extension will be one of the following: .DOC, .ZIP, .MP3
The second extension will be one of the following: .PIF, .SCR
This vandal can also arrive as a reply to an email. In that case the subject line will begin with Re: and following would be the original subject line.
It also searches file with the extensions .HT* and .ASP (these are HTML files) and sends infected emails to addresses found there. Usually there will be many such HTML files in the browser cache directories.
Operation
When an infected email is viewed on a system unpatched by Microsoft, the file is automatically executed and will perform the following:
1. Create a copy of itself under the name KERNEL32.EXE in the Windows System directory (usually C:\Windows\System).
2. Create a file named KDLL.DLL (detected by eSafe as Win32.Badtrans.dll) in the Windows System directory. This file is a spying Trojan. It collects information about the PC including dial-up passwords. It is also a keystroke logger, collecting all the keyboard entries and the respective applications. All this information is saved encrypted to a file named CP_25389.NLS and sent to a predefined email address.
3. To execute itself each time the computer starts, the following registry entry is added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnce\kernel32 = "kernel32.exe"
4. Use MAPI to send copies of itself to address book entries as well as addresses in HTML pages stored locally and as a reply to unread messages.
Removal Instructions
Manual Removal
1. Find and delete the files: KERNEL32.EXE and CP_25389.NLS
2. Using Regedit.exe, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnce\kernel32 = "kernel32.exe". Delete the registry value kernel32. This procedure is recommended for users with some knowledge of the registry.
3. Disable email previewing in Outlook Express. Delete all email messages that correspond the descriptions above.
Cleaning Utility
A cleaning utility is available from here.
eSafe Users
eSafe Desktop and Enterprise are protected by the Sandbox II and Sytstem Protector. All eSafe products detect and block the X-WAV exploit.
It is also recommended to block attached files with the extensions .PIF and .SCR. For more information about blocking dangerous file types see the link here.
A new vandal/virus update is available.
eSafe Enterprise, Desktop, Gateway 2.1
An update is available from here.
Note to eSafe Gateway 2.1 users
Support for Gateway 2.1 will be terminated on December 31, 2001. Please contact your local reseller to upgrade to the latest version of eSafe Gateway 3.0. More information about version 3 can be found here.
eSafe Gateway 3.x and eSafe Mail
Users can use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions are available from here.
|
