In Reply to: Karen Bruce : Virus posted by Si Badak ® on Friday, 30. November 2001 at 15:30 Bali Time:
W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 29, 2001 at 05:04:14 PM PST
Due to the increased rate of submissions, Symantec Security Response has upgraded the threat level of this worm from level 3 to level 4 as of November 26, 2001.
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.
Type: Worm
Infection Length: 29,020 bytes
Virus Definitions: November 24, 2001
Threat Assessment:
Wild: High
Damage: Low
Distribution: High
Wild:
Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.
Distribution:
Name of attachment: randomly chosen from preset list
Size of attachment: 29,020 bytes
Technical description:
This worm arrives as an email with one of several attachment names and a combination of two appended extensions. It contains a set of bits that control its behavior:
001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)
When it is first executed, it copies itself to %System% or %Windows% as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file %System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key logging code.
NOTE: %Windows% and %System% are variables. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters:
LOG
PAS
REM
CON
TER
NET
These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Russian versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to one of these addresses or some others which are currently not operational:
ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
eccles@ballsy.net
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com
After 20 seconds, the worm will shut down if the appropriate control bit is set.
If RAS support is present on the computer, then the worm will wait for an active RAS connection. When one is made, with a 33% chance, the worm will search for email addresses in *.ht* and *.asp in %Personal% and Internet Explorer %Cache%. If it finds addresses in these files, then it will send mail to those addresses using the victim's SMTP server. If this server is unavailable the worm will choose from a list of its own. The attachment name will be one of the following:
Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun
In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be "Re:". In that case, the attachment name will be one of the following:
PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN
In all cases, the worm will append two extensions. The first will be one of the following:
.doc
.mp3
.zip
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr.
If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:
"Mary L. Adams" <mary@c-com.net>
"Monika Prado" <monika@telia.com>
"Support" <support@cyberramp.net>
" Admin" <admin@gte.net>
" Administrator" <administrator@border.net>
"JESSICA BENAVIDES" <jessica@aol.com>
"Joanna" <joanna@mail.utexas.edu>
"Mon S" <spiderroll@hotmail.com>
"Linda" <lgonzal@hotmail.com>
" Andy" <andy@hweb-media.com>
"Kelly Andersen" <Gravity49@aol.com>
"Tina" <tina0828@yahoo.com>
"Rita Tulliani" <powerpuff@videotron.ca>
"JUDY" <JUJUB271@AOL.COM>
" Anna" <aizzo@home.com>
Email messages use the malformed MIME exploit to allow the attachment to execute in Microsoft Outlook without prompting. For information on this, go to:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm writes email addresses to the %System%\Protocol.dll file to prevent multiple emails to the same person. Additionally, the sender's email address will have the "_" character prepended to it, to prevent replying to infected mails to warn the sender (eg user@website.com becomes _user@website.com).
After sending mail, the worm adds the value
Kernel32 kernel32.exe
to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This will run the worm the next time that you start Windows. This value can differ based on the control bits mentioned above.
Additional information:
Prevention
Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted.
Removal instructions:
The preferred way to remove this worm is to use the W32.Badtrans.B@mm Removal Tool. If you are not able to obtain it for any reason, you must remove the worm manually.
Manual removal
To remove this worm manually, you must first remove the worm files and then reverse the change that it made to the registry.
Remove the worms files
Follow the instructions for your version of Windows.
Windows 95/98/Me/2000/XP
Because the worm file may be in use, you must, in most cases, restart in Safe mode before Norton AntiVirus can delete it.
CAUTION: For Windows Me users only. If you are using Windows Me, you should follow the instructions in the section System Restore option in Windows Me that is located at the end of this document before you begin the removal procedure.
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Restart the computer in Safe Mode. For instructions on how to do this, read the document for your operating system:
How to restart Windows 9x or Windows Me in Safe Mode.
How to start Windows 2000 in Safe mode.
How to start Windows XP in Safe Mode.
3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
4. Run a full system scan.
5. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delet them.
6. When the scan is finished, go on to the section Edit the registry.
Windows NT
Because the worm file may be in use, you must, in most cases, End Process on it before Norton AntiVirus can delete it.
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Press Ctrl+Alt+Delete one time.
3. Click Task Manager.
4. Click the Processes tab.
5. Click the "Image Name" column header two times to sort the processes alphabetically.
6. Scroll through the list and look for kernel32.exe. If you find the file, click it and then click End Process.
7. Close the Task Manager.
8. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
9. Run a full system scan.
10. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delet them.
11. When the scan is finished, go on to the section Edit the registry.
Edit the registry:
CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
4. In the right pane, delete the following value:
Kernel32 kernel32.exe
CAUTION: The reference to Kernel32 is the most common value that is added by the worm, but it is not the only one possible. In some cases, it may not be there. In addition to looking for and deleting this value if found, you must also look for values that refer to any file names that were detected as infected by this worm when you ran the full system scan. All such values must be deleted.
5. Click Registry, and then click Exit.
6. Restart the computer.
7. To make sure that all files have been removed. start Norton AntiVirus and run another full system scan.
Additional information:
Prevention
Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted.