- Lid sinds
- 8 feb 2001
- Berichten
- 251
- Waarderingsscore
- 0
- Punten
- 16
- Leeftijd
- 58
Toen ik mijn Email opende ondekte ik nogal veel mails met RE van
Opgepast want dit is dus ook een virrus ik ben direct gaan scannen bij Macafee en kijk eens wat ik vond over dit beestje .
UPDATE December 3, 2001
The Risk Assessment has been set back to Medium due to a decline in customer submissions.
UPDATE November 25, 2001 20:30 PST
AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch for corporate users and High for home users. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently.
As noted below, the virus is detected as W32/Badtrans@MM as the detection technology, which identified the virus first, uses this naming convention for both variants of the Badtrans virus.
This new variant of Badtrans drops a password stealing trojan which is detected as PWS-Hooker with the 4173 DATs, or greater, and a variant of PWS-AV with the 4172 DATs.
UPDATE November 24, 2001 15:30 PST
A new variant of Badtrans has been discovered. This is considered to be variant .b by some companies. VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files.
This variant is a Medium risk as is the first variant. Your risk of infection is higher if you do not have the 4168 DAT files or above. See the .b section below for more details on this variant.
Badtrans.a details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release).
When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected as PWS-AV (was DUNpws.av) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this worm (10,623 bytes) on April 11 from a company in New Zealand.
Badtrans.b details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread and read email messages. It also mails itself to email addresses found within files that exist on your system. It drops a keylogging trojan (detected as PWS-Hooker with the 4173 DATs, or greater) into the SYSTEM directory as KDLL.DLL. This trojan logs keystrokes for the purpose of stealing personal information (such as credit card and bank account numbers and passwords). This information is later emailed to the virus author(s).
When run, this variant copies itself to the WINDOWS SYSTEM directory as KERNEL32.EXE and creates a registry run key to load itself at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kernel32.exe
This variant replies to incoming email messages and sends itself to email addresses found in "*.asp" and "*.ht*" files. The sender address used by the virus when emailing itself to others may be chosen from the following list:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
"Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
Additionally, the virus prepends the return address used with an "_" (underscore). Thus replying to an infected message will fail to reach the intended recipient.
The message subject is typically: "Re:"
The message attachment name will be one of the following:
Card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.pif
Humor.MP3.scr
images.DOC.pif
info.DOC.scr
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
news_doc.DOC.scr
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
stuff.MP3.pif
YOU_are_FAT!.MP3.scr
This new variant uses the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch.
Indications Of Infection:
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Presence of the file %SysDir%\KERNEL32.EXE
- Email correspondence noting that you've sent them an attachment when you did not.
Method Of Infection:
Badtrans.a variant:
This worm utilizes MAPI messaging to mail itself to regular email correspondence. It will arrive as an attachment that is 13,312 bytes in length and uses one of the following names (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
Badtrans.b variant:
This worm utilizes MAPI messaging to mail itself to regular email correspondence. It will arrive embedded in an email message which often has the subject "Re:". Exploiting a MIME header vulnerability, the virus can execute upon viewing the email message. The message body is empty. It will arrive as an attachment that is 29,020 bytes in length and uses one of the following names:
Card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.pif
Humor.MP3.scr
images.DOC.pif
info.DOC.scr
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
news_doc.DOC.scr
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
stuff.MP3.pif
YOU_are_FAT!.MP3.scr
Removal Instructions:
All Windows Users:
Use current engine and DAT files for detection and removal.
Install the Microsoft Security Bulletin (MS01-020) patch
Manual Removal Instructions (not required for McAfee users with current engine and DAT files)
WINDOWS 95/98/ME
Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUNONCE
Click on KERNEL32 on the right and hit DELETE on the keyboard
Restart the computer
WINDOWS NT/2000/XP
Type CTRL-ALT-DEL at the same time
Choose TASK MANAGER and then choose the PROCESS tab
Locate the KERNEL32.EXE process, click it, and choose END PROCESS
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM32 and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_CURRENT_USER
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS NT
Click the (+) next to WINDOWS
If INETD.EXE is found on the right panel, Double Click on RUN on the right and delete the INETD.EXE value
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
Aliases:
Backdoor-NK.svr , BadTrans (F-Secure), BadTrans.B (F-Secure), I-Worm.Badtrans (AVP), I-Worm.Badtrans.B (AVX), PWS-Gen.hooker, PWS-Hooker.plugin, TROJ_BADTRANS.A (Trend), W32.Badtrans.13312@mm (NAV), W32.Badtrans.B@mm (NAV), W32/Badtrans.B (Panda), W32/Badtrans.eml
Opgepast want dit is dus ook een virrus ik ben direct gaan scannen bij Macafee en kijk eens wat ik vond over dit beestje .
UPDATE December 3, 2001
The Risk Assessment has been set back to Medium due to a decline in customer submissions.
UPDATE November 25, 2001 20:30 PST
AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch for corporate users and High for home users. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently.
As noted below, the virus is detected as W32/Badtrans@MM as the detection technology, which identified the virus first, uses this naming convention for both variants of the Badtrans virus.
This new variant of Badtrans drops a password stealing trojan which is detected as PWS-Hooker with the 4173 DATs, or greater, and a variant of PWS-AV with the 4172 DATs.
UPDATE November 24, 2001 15:30 PST
A new variant of Badtrans has been discovered. This is considered to be variant .b by some companies. VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files.
This variant is a Medium risk as is the first variant. Your risk of infection is higher if you do not have the 4168 DAT files or above. See the .b section below for more details on this variant.
Badtrans.a details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release).
When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected as PWS-AV (was DUNpws.av) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this worm (10,623 bytes) on April 11 from a company in New Zealand.
Badtrans.b details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread and read email messages. It also mails itself to email addresses found within files that exist on your system. It drops a keylogging trojan (detected as PWS-Hooker with the 4173 DATs, or greater) into the SYSTEM directory as KDLL.DLL. This trojan logs keystrokes for the purpose of stealing personal information (such as credit card and bank account numbers and passwords). This information is later emailed to the virus author(s).
When run, this variant copies itself to the WINDOWS SYSTEM directory as KERNEL32.EXE and creates a registry run key to load itself at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kernel32.exe
This variant replies to incoming email messages and sends itself to email addresses found in "*.asp" and "*.ht*" files. The sender address used by the virus when emailing itself to others may be chosen from the following list:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
"Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
Additionally, the virus prepends the return address used with an "_" (underscore). Thus replying to an infected message will fail to reach the intended recipient.
The message subject is typically: "Re:"
The message attachment name will be one of the following:
Card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.pif
Humor.MP3.scr
images.DOC.pif
info.DOC.scr
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
news_doc.DOC.scr
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
stuff.MP3.pif
YOU_are_FAT!.MP3.scr
This new variant uses the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch.
Indications Of Infection:
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Presence of the file %SysDir%\KERNEL32.EXE
- Email correspondence noting that you've sent them an attachment when you did not.
Method Of Infection:
Badtrans.a variant:
This worm utilizes MAPI messaging to mail itself to regular email correspondence. It will arrive as an attachment that is 13,312 bytes in length and uses one of the following names (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
Badtrans.b variant:
This worm utilizes MAPI messaging to mail itself to regular email correspondence. It will arrive embedded in an email message which often has the subject "Re:". Exploiting a MIME header vulnerability, the virus can execute upon viewing the email message. The message body is empty. It will arrive as an attachment that is 29,020 bytes in length and uses one of the following names:
Card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.pif
Humor.MP3.scr
images.DOC.pif
info.DOC.scr
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
news_doc.DOC.scr
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
stuff.MP3.pif
YOU_are_FAT!.MP3.scr
Removal Instructions:
All Windows Users:
Use current engine and DAT files for detection and removal.
Install the Microsoft Security Bulletin (MS01-020) patch
Manual Removal Instructions (not required for McAfee users with current engine and DAT files)
WINDOWS 95/98/ME
Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUNONCE
Click on KERNEL32 on the right and hit DELETE on the keyboard
Restart the computer
WINDOWS NT/2000/XP
Type CTRL-ALT-DEL at the same time
Choose TASK MANAGER and then choose the PROCESS tab
Locate the KERNEL32.EXE process, click it, and choose END PROCESS
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM32 and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_CURRENT_USER
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS NT
Click the (+) next to WINDOWS
If INETD.EXE is found on the right panel, Double Click on RUN on the right and delete the INETD.EXE value
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
Aliases:
Backdoor-NK.svr , BadTrans (F-Secure), BadTrans.B (F-Secure), I-Worm.Badtrans (AVP), I-Worm.Badtrans.B (AVX), PWS-Gen.hooker, PWS-Hooker.plugin, TROJ_BADTRANS.A (Trend), W32.Badtrans.13312@mm (NAV), W32.Badtrans.B@mm (NAV), W32/Badtrans.B (Panda), W32/Badtrans.eml
