Hello,
I just received two more copies from the badtrans worm, not through
owner-arachne but in reply to arachne list messages. This can be explained
by the worms habit to answer UNOPENED mail in inboxes. See mcafee
description below.
Arachne recipient Oscar Diaz appears to be infected. Just one of the two
messages are quoted, the other one is also just a mailinglist message.
Windows users, consider yourself under attack!
Oscar, get a virusscanner or update the one you have.
(gee, I love this...)
Arnhem, Netherlands,
Flip ter Biecht
>X-XS4ALL-To: <[EMAIL PROTECTED]>
>Date: Tue, 4 Sep 2001 16:26:48 -0400 (AST)
>From: "Oscar Diaz" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: Re: Re: Little moron readahead
>X-Mailer: Microsoft Outlook Express 5.50.4133.2400
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
>
>'Flip ter Biecht' wrote:
>====
>- Hi Clarence,
>-
>- Quite a testscheme, but are you in fact comparing drives or cache
>- programs?
>- Could it be that hardware diskcache optimum sizes are just related to
>- bytes/cyl (=bytes read per rotation), and are affected by fragmentation,
>- only because a fragmented drive would stuff the cache with useless bytes,
>- while software caches follow the FATs and just derive from the hardware
>- cache those bytes that belong to the to-be-read file, and are only
>- delayed ...'
>
>
>> Take a look to the attachment.
>
>
>
>Attachment Converted: "d:\program files\eudora\attach\SETUP.pif"
>
Follows mcafee info:
Virus Name Risk Assessment
W32/Badtrans@MM Medium
Virus Information
Discovery Date: 04/11/2001
Origin: Unknown
Length: 13,312
Type: Virus
SubType: Internet Worm
Minimum Dat: 4134
Minimum Engine: 4.0.70
DAT Release Date: 04/18/2001
Description Added: 04/12/2001
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate this page
Print This Page
Virus Characteristics
This mass mailing worm attempts to send itself using Microsoft Outlook by
replying to unread email messages. It also drops a remote access trojan
(detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as
New Backdoor prior to the 4134 DAT release).
When run, the worm displays a message box entitled, "Install error" which
reads, "File data corrupt: probably due to a bad data transmission or bad
disk access." A copy is saved into the WINDOWS directory as INETD.EXE and
an entry is entered into the WIN.INI file to run INETD.EXE at startup.
KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected as
DUNpws.av) are written to the WINDOWS SYSTEM directory, and a registry
entry is created to load the trojan upon system startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Note: Under WinNT/2K, an additional registry key value is entered instead
of a WIN.INI entry:
HKEY_USERS\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
Once running, the trojan attempts to mail the victim's IP Address to the
author. Once this information is obtained, the author can connect to the
infected system via the Internet and steal personal information such as
usernames, and passwords. In addition, the trojan also contains a keylogger
program which is capable of capturing other vital information such as
credit card and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts to email itself by
replying to unread messages in Microsoft Outlook folders. The worm will be
attached to these messages using one of the following filenames (note that
some of these filenames are also associated with other threats, such as
W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this worm (10,623 bytes) on
April 11 from a company in New Zealand.
Top of Page
Symptoms
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Email correspondence noting that you've sent them an attachment when you
did not.
Top of Page
Method Of Infection
This worm utilizes MAPI messaging to mail itself to regular email
correspondence. It will arrive as an attachment that is 13,312 bytes in
length and uses one of the following names (note that some of these
filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
Top of Page
Removal Instructions
Use specified engine and DAT files for detection and removal.
Manual Removal Instructions
Restart the computer in MS-DOS mode
Delete the files mentioned
Restart Windows
Delete the registry keys as mentioned
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected file
could be stored there as a backup file, and VirusScan will be unable to
delete these files. These instructions explain how to remove the infected
files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
remove the check mark next to "Disable System Restore". The infected file's
are removed and the System Restore is once again active.
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
Backdoor-NK.svr
BadTrans (F-Secure)
I-Worm.Badtrans (AVP)
TROJ_BADTRANS.A (Trend)
W32.Badtrans.13312@mm (NAV)
Top of Page
� 2001, Network Associates, Inc. and its affiliated Companies. All Rights
Reserved.
