Colext/Macondo
Cantina virtual de los COLombianos en el EXTerior
--------------------------------------------------
Este es de verdad, verdad...
PANG=============
W32/Badtrans@MM is a Low risk Virus
Date Added 4/12/01 4:57:10 AM
Virus Characteristics
This mass mailing worm attempts to send itself using Microsoft Outlook by
replying to unread email messages. It also drops a remote access trojan
(detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as
New Backdoor prior to the 4134 DAT release).
When run, the worm displays a message box entitled, "Install error" which
reads, "File data corrupt: probably due to a bad data transmission or bad
disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an
entry is entered into the WIN.INI file to run INETD.EXE at startup.
KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a valid keylogger DLL) are
written to the WINDOWS SYSTEM directory, and a registry entry is created to
load the trojan upon system startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Once running, the trojan attempts to mail the victim's IP Address to the
author. Once this information is obtained, the author can connect to the
infected system via the Internet and steal personal information such as
usernames, and passwords. In addition, the trojan also contains a keylogger
program which is capable of capturing other vital information such as credit
card and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts to email itself by
replying to unread messages in Microsoft Outlook folders. The worm will be
attached to these messages using one of the following filenames (note that
some of these filenames are also associated with other threats, such as
W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this worm (10,623 bytes) on
April 11 from a company in New Zealand. The file size of that sample is
Indications Of Infection
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Email correspondence noting that you've sent them an attachment when you
did not.
Method Of Infection: This worm utilizes MAPI messaging to mail itself to
regular email correspondence. It will arrive as an attachment that is 13,312
bytes in length and uses one of the following names (note that some of these
filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Manual Removal Instructions
Delete the registry keys as mentioned
Restart the computer
Delete the files mentioned
Virus Information
Discovery Date: 4/11/01
Origin: Unknown
Length: 13,312
Type: Virus
SubType: Internet Worm
Risk Assessment: Low
Aliases
Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP),
W32.Badtrans.13312@mm (NAV)
--------------------------------------------------------------
To unsubscribe send an email to: [EMAIL PROTECTED]
with UNSUBSCRIBE COLEXT as the BODY of the message.
Un archivo de colext puede encontrarse en:
http://www.mail-archive.com/[email protected]/
cortesia de Anibal Monsalve Salazar
