Peut-�tre un conseil alors. J'ai re�u 5 ou 6 copies de ce virus, qui semble donc tr�s actif, de diverses sources. Il est n� le 24 novembre. Norton le met en premi�re place d'alerte actuellement.
Voici les rapports d'analyses par Norton. De toutes �vidences c'est un virus difficile � g�rer. La question: est-ce que le fait de supprimer le courriel transportant l'attachement qui contient le virus (et de le supprimer de la corbeille) an�anti tout risque possible? Merci Bonne journ�e Alain Vadeboncoeur MD. Extraits du rapport Norton: Date : 01/12/01, heure : 23:03:14, Alain Vadeboncoeur le DELL Le fichier C:\WINDOWS\TEMP\docs.DOC.pif est infect� par le virus W32.Badtrans.B@mm. Impossible de r�parer ce fichier. Date : 01/12/01, heure : 23:03:20, Alain Vadeboncoeur le DELL Le fichier C:\WINDOWS\TEMP\docs.DOC.pif est infect� par le virus W32.Badtrans.B@mm. Impossible de mettre ce fichier en quarantaine. Date : 01/12/01, heure : 23:03:24, Alain Vadeboncoeur le DELL Le fichier C:\WINDOWS\TEMP\docs.DOC.pif �tait infect� par le virus W32.Badtrans.B@mm. Le fichier a �t� supprim�. Texte sur NOrton. Assez amusant comme lecture. W32.Badtrans.B@mm Discovered on: November 24, 2001 Last Updated on: November 29, 2001 at 05:04:14 PM PST Printer-friendly version Tell a Friend Due to the increased rate of submissions, Symantec Security Response has upgraded the threat level of this worm from level 3 to level 4 as of November 26, 2001. W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes. Type: Worm Infection Length: 29,020 bytes Virus Definitions: November 24, 2001 Threat Assessment: Wild: High Damage: Low Distribution: High Wild: Number of infections: More than 1000 Number of sites: 3 - 9 Geographical distribution: Low Threat containment: Easy Removal: Easy Damage: Payload: Large scale e-mailing: Uses MAPI commands to send email. Compromises security settings: Installs keystroke logging Trojan horse. Distribution: Name of attachment: randomly chosen from preset list Size of attachment: 29,020 bytes Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions. It contains a set of bits that control its behavior: 001 Log every window text 002 Encrypt keylog 004 Send log file to one of its addresses 008 Send cached passwords 010 Shut down at specified time 020 Use copyname as registry name (else kernel32) 040 Use kernel32.exe as copyname 080 Use current filename as copypath (skips 100 check) 100 Copy to %system% (else copy to %windows%) When it is first executed, it copies itself to %System% or %Windows% as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file %System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key logging code. NOTE: %Windows% and %System% are variables. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location. A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters: LOG PAS REM CON TER NET These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Russian versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to one of these addresses or some others which are currently not operational: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] After 20 seconds, the worm will shut down if the appropriate control bit is set. If RAS support is present on the computer, then the worm will wait for an active RAS connection. When one is made, with a 33% chance, the worm will search for email addresses in *.ht* and *.asp in %Personal% and Internet Explorer %Cache%. If it finds addresses in these files, then it will send mail to those addresses using the victim's SMTP server. If this server is unavailable the worm will choose from a list of its own. The attachment name will be one of the following: Pics images README New_Napster_Site news_doc HAMSTER YOU_are_FAT! stuff SETUP Card Me_nude Sorry_about_yesterday info docs Humor fun In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be "Re:". In that case, the attachment name will be one of the following: PICS IMAGES README New_Napster_Site NEWS_DOC HAMSTER YOU_ARE_FAT! SEARCHURL SETUP CARD ME_NUDE Sorry_about_yesterday S3MSONG DOCS HUMOR FUN In all cases, the worm will append two extensions. The first will be one of the following: .doc .mp3 .zip The second extension that is appended to the file name is one of the following: .pif .scr The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr. If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these: "Mary L. Adams" <[EMAIL PROTECTED]> "Monika Prado" <[EMAIL PROTECTED]> "Support" <[EMAIL PROTECTED]> " Admin" <[EMAIL PROTECTED]> " Administrator" <[EMAIL PROTECTED]> "JESSICA BENAVIDES" <[EMAIL PROTECTED]> "Joanna" <[EMAIL PROTECTED]> "Mon S" <[EMAIL PROTECTED]> "Linda" <[EMAIL PROTECTED]> " Andy" <[EMAIL PROTECTED]> "Kelly Andersen" <[EMAIL PROTECTED]> "Tina" <[EMAIL PROTECTED]> "Rita Tulliani" <[EMAIL PROTECTED]> "JUDY" <[EMAIL PROTECTED]> " Anna" <[EMAIL PROTECTED]> Email messages use the malformed MIME exploit to allow the attachment to execute in Microsoft Outlook without prompting. For information on this, go to: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp The worm writes email addresses to the %System%\Protocol.dll file to prevent multiple emails to the same person. Additionally, the sender's email address will have the "_" character prepended to it, to prevent replying to infected mails to warn the sender (eg [EMAIL PROTECTED] becomes [EMAIL PROTECTED]). After sending mail, the worm adds the value Kernel32 kernel32.exe to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce This will run the worm the next time that you start Windows. This value can differ based on the control bits mentioned above. Removal instructions: The preferred way to remove this worm is to use the W32.Badtrans.B@mm Removal Tool. If you are not able to obtain it for any reason, you must remove the worm manually. Manual removal To remove this worm manually, you must first remove the worm files and then reverse the change that it made to the registry. Remove the worms files Follow the instructions for your version of Windows. Windows 95/98/Me/2000/XP Because the worm file may be in use, you must, in most cases, restart in Safe mode before Norton AntiVirus can delete it. CAUTION: For Windows Me users only. If you are using Windows Me, you should follow the instructions in the section System Restore option in Windows Me that is located at the end of this document before you begin the removal procedure. 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Restart the computer in Safe Mode. For instructions on how to do this, read the document for your operating system: How to restart Windows 9x or Windows Me in Safe Mode. How to start Windows 2000 in Safe mode. How to start Windows XP in Safe Mode. 3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 4. Run a full system scan. 5. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delet them. 6. When the scan is finished, go on to the section Edit the registry. Windows NT Because the worm file may be in use, you must, in most cases, End Process on it before Norton AntiVirus can delete it. 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Press Ctrl+Alt+Delete one time. 3. Click Task Manager. 4. Click the Processes tab. 5. Click the "Image Name" column header two times to sort the processes alphabetically. 6. Scroll through the list and look for kernel32.exe. If you find the file, click it and then click End Process. 7. Close the Task Manager. 8. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 9. Run a full system scan. 10. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delet them. 11. When the scan is finished, go on to the section Edit the registry. Edit the registry: CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 4. In the right pane, delete the following value: Kernel32 kernel32.exe CAUTION: The reference to Kernel32 is the most common value that is added by the worm, but it is not the only one possible. In some cases, it may not be there. In addition to looking for and deleting this value if found, you must also look for values that refer to any file names that were detected as infected by this worm when you ran the full system scan. All such values must be deleted. 5. Click Registry, and then click Exit. 6. Restart the computer. 7. To make sure that all files have been removed. start Norton AntiVirus and run another full system scan. Additional information: Prevention Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif. Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted. System Restore option in Windows Me One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts. If the computer is infected with W32.Badtrans.B@mm, then it is possible that the worm could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by the removal tool will fail. To work around this, you must disable System Restore and restart the computer. This will purge the contents of the _RESTORE folder. You must then run the removal tool again. To disable System Restore: Follow the steps listed below the following figure. Use the numbers in the figure for reference. 1. Close all open programs. Then, right-click My Computer on the Windows desktop 2. Click Properties. 3. Click the Performance tab. 4. Click File System. 5. Click the Troubleshooting tab. 6. Check Disable System Restore. 7. Click OK. 8. Click OK. 9. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted. NOTE: After following all of the removal instructions, repeat steps 1 through 9, except in step 6, uncheck Disable System Restore. You can also find an additional information in the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder. For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455. Write-up by: Peter Ferrie
