[Date Prev][Date Next][Date Index]

E-M:/ More on BADTRANS Virus Enviro Contamination



-------------------------------------------------------------------------
Enviro-Mich message from "Alex J. Sagady & Associates" <ajs@sagady.com>
-------------------------------------------------------------------------

Forwarded Bounced message



Date: Wed, 28 Nov 2001 15:23:38 -0500
To: enviro-mich@great-lakes.net
From: Ishgooda <ishgooda@voyager.net>
Subject: W32.Badtrans.B@mm..VIRUS/TROJAN  ALERT
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

I have received MEGA copies of this virus in the past two days.  It appears 
to change the email address to another address in the infected person's 
address book (ex. "joeblack@aol.com" will read "_joeblack@aol.com"  and 
actually sent from a verizon account).  This makes it extremely difficult 
to back track an infected sender as routers don't support the fact it comes 
from the address shown.

It appears to arrive as an embedded file rather than an attachment.  For 
those using hotmail, this means you "may" infect yourself simply by viewing 
it.  For those of you who are listowners..set your list to strip 
attachments and permit text files only.

Check your system under "help" in order to learn how to disable MAPI.  In 
Eudora go to Tools/Options/MAPI and check the box to disable it.  If you 
have any problems this can be re-enabled in the same settings area.


In Outlook Express you customise your toolbar and add preview to it. Click 
on preview to show or not show the preview pane. Go to View  |  Layout | 
Customise Toolbar | move the Preview Button to current toolbar buttons 
window. With the preview pane not showing you can delete without opening.

It does not require the email recipient to open the attachment for it to 
execute. It uses a known vulnerability in Internet Explorer-based email 
clients (Microsoft Outlook and Microsoft Outlook Express) to automatically 
execute the file attachment. This vulnerability is also known as Automatic 
Execution of Embedded MIME type.

WORM_BADTRANS.B is detected by pattern file #170 or #970.

For more information on WORM_BADTRANS.B please visit our Web site at:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B

In light of the recent developments from the FBI, a newly developed trojan 
called Magic Lantern under the Cyber Knights program, this trojan functions 
very similarly.
Ishgooda
thanks to Jordan for the following link and info:

W32.Badtrans.B@mm
http://www.sarc.com/avcenter/venc/data/w32.badtrans.b@mm.html

                   Discovered on: November 24, 2001
                   Last Updated on: November 26, 2001 at 12:46:58 PM PST



                   Due to the increased rate of submissions, we have 
updated the threat level of this worm from level 3 to level 4.

                   W32.Badtrans.B@mm is a MAPI worm that emails itself out 
as one of several different file names. This worm
                   also creates a DLL in \Windows\System directory as 
Kdll.dll. It uses functions from this DLL to log keystrokes.

                   Type: Worm

                   Virus Definitions: November 24, 2001

                   Threat Assessment:





                     Wild:
                      High
                             Damage:
                               Low
                                      Distribution:

                                        High



                   Wild:

                       Number of infections: More than 1000
                       Number of sites: 3 - 9
                       Geographical distribution: Low
                       Threat containment: Easy
                       Removal: Easy

                   Damage:

                       Payload:
                           Large scale e-mailing: Uses MAPI commands to 
send email.
                           Compromises security settings: Installs 
keystroke logging Trojan horse.

                   Technical description:

This worm arrives as an email with one of several attachment names and a 
combination of two appended extensions.

                   The list of possible file names is:
                   HUMOR
                   DOCS
                   S3MSONG
                   ME_NUDE
                   CARD
                   SEARCHURL
                   YOU_ARE_FAT!
                   NEWS_DOC
                   IMAGES
                   PICS

The first extension that is appended to the file name is one of the following:
                   .DOC
                   .MP3
                   .ZIP

The second extension that is appended to the file name is one of the following:
                   .pif
                   .scr

The resulting file name would look something like this:
                   CARD.DOC.PIF
                   NEWS_DOC.MP3.SCR
                   etc.

                   When executed, this worm copies itself as kernel32.exe 
in the "\windows\system" directory. It then adds the
                   following registry value:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.

                   Prevention methods:

                   1. Corporate email filtering systems should block all 
email that have attachments with the extensions .scr and .pif.

                   2. Users should not open any emails with an attachment 
that matches the names listed above. Any email that has
                   such an attachment should be deleted.

                   Removal instructions:
http://securityresponse.symantec.com/avcenter/refa.html#removal

                       1. Run LiveUpdate to make sure that you have the 
most recent virus definitions.

                       2. Start Norton AntiVirus (NAV), and make sure that 
NAV is configured to scan all files. For instructions on
                       how to do this, read the document How to configure 
Norton AntiVirus to scan all files.

                       3. Run a full system scan.

                       4. Delete all files that are detected as 
W32.Badtrans.B@mm.

                       5. Remove the registry value listed above.

<<<<=-=-= Tsonkwadiyonrat (We are ONE Spirit) =-=-=>>>>
The preceding message has been
distributed courtesy of Native News Online.
A Barefoot Connection
http://nativenewsonline.org
CERTAIN COUNCIL
http://www.certain-natl.org/
NAHI Board
http://ndnrights.org/nahi/

        <<<<=-=-=FREE LEONARD PELTIER!!!=-=->>>>


----------------------------------------------------------------------------
Alex J. Sagady & Associates  http://my.voyager.net/~ajs/sagady.pdf

Environmental Enforcement, Technical Review, Public Policy and
Communications on Air, Water and Waste/Community Environmental Protection

PO Box 39,  East Lansing, MI  48826-0039
(517) 332-6971; (517) 332-8987 (fax); ajs@sagady.com
----------------------------------------------------------------------------



==============================================================
ENVIRO-MICH:  Internet List and Forum for Michigan Environmental
and Conservation Issues and Michigan-based Citizen Action.   Archives at
http://www.great-lakes.net/lists/enviro-mich/

Postings to:  enviro-mich@great-lakes.net      For info, send email to
majordomo@great-lakes.net  with a one-line message body of  "info enviro-mich"
==============================================================