VIRUS ALERT No.81 - Tuesday, November 27, 2001.

W32/Badtrans@MM -- new variant placed on  HIGH RISK
 

Description - What virus is this?

A new variant of Badtrans has been discovered, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to High Risk for Consumers. We have received many reports from the home users that they have become infected. It is believed that failure to update virus  scanners recently has caused this increase in occurrence.

VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant.

The W32/Badtrans@MM was described in our VIRUS ALERT No.65 dated Friday, April 20, 2001.

W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via email in
Microsoft Outlook and attempts to send itself by replying to unread email messages. The email may contain the
text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in
length. The attachment name is created from three sections.

The first part is chosen from the possibilities:
                    fun
                    Humor
                    docs
                    info
                    Sorry_about_yesterday
                    Me_nude
                    Card
                    SETUP
                    stuff
                    YOU_are_FAT!
                    HAMSTER
                    news_doc
                    New_Napster_Site README
                    images
                    Pics
 

The second part is chosen from the possibilities:

                    .DOC.
                    .MP3.
                    .ZIP.

and the last part from the possibilities:

                    pif
                    scr

This new variant also uses the iframe exploit and incorrect MIME header to run automatically on unpatched
systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch.
 
 

Payload - What can this virus do?
 

If the attachment is opened, the worm displays a message box entitled, "Install error" which reads, "File data
corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS
directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup.
KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS
SYSTEM directory, and a registry entry is created to load the Trojan upon system startup.

                    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
                    RunOnce\kernel32=kern32.exe

Once running, the Trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames and passwords. In addition, the Trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.


Rate This Ezine

The Ezine Directory

We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !



ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.




IMPORTANT NOTICE: ALL those who are receiving this advise and in the "name" field they find 'FAILED' and a 6 or 8 digit figure after it,  should be advised that at least once, emails to that address  have been received back by us.  As the list of subscribers now exceeds 100,000, and since this  is a  free service, we kindly urge you to become a  registered  subscriber to this service and ensure delivery by subscribing  under  a  reliable email address. WE REGRET THAT AS  AFTER THIS ISSUE, ALL ADDRESSES  THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.


DISCLAIMER:

The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST

PLEASE ALSO NOTE THE FOLLOWING:

1) You are currently SUBSCRIBED to our mailing list

2) If you are receiving more than one copy of this warning please click here

3) If you DO NOT wish to receive anymore of these alerts, please click here

4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be sent to the Webmaster     by themselves so that a record of all requests can be kept in case somebody cries "SPAM" ! Simply click here
    and send the email as it appears.

5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY

FABIAN ENTERPRISES LTD.

   AND THERE WILL NEVER BE ANY CHARGE FOR IT.

6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL NEVER BE SOLD, EXCHANGED OR IN     ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
    ******

Fabian Brincat
Webmaster
Fabian Enterprises Ltd.

SEE PREVIOUS VIRUS ALERT

RETURN TO VIRUS ALERT MAIN INDEX


FABIAN ENTERPRISES LTD.
18-20, MSIDA ROAD,
GZIRA. GZR 1401.
MALTA.
TELEPHONE: (++356) 21 31 32 83 or 21 32 08 45
FAX: (++356) 21 33 80 87
E-MAIL CONTACT
sales@fabian.com.mt

©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.

All Trade names and Trade marks are hereby acknowledged as being the property of the Registered Owners


ALPHABETICAL LIST OF PRODUCTS: click on section you wish to view:

A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z


EXIT TO QUICK INDEX



271101/110904/061004