BadTrans
From BunzWiki
| This article needs to be wikified. |
W32.Badtrans.B@mm
A [worm] that uses [MAPI] commands to [e-mail] itself out using different [filename|file name]s. It also creates a [keylogger] to detect [password]s and e-mails those to an address.
<P>
The worm is 29,020 [byte]s. It arrives as an e-mail with an [attachment] that will have two [extension]s. When first [execute]d, it copies itself to the [system folder] as Kernel32[.exe], and on [Windows 95] or [Windows 98|98] and [Windows Me] it also registers itself as a [service process]. It generates a file called Kdll[.dll] that contains code to log [keystroke]s.
<P>
The keystroke logging is specifically to trap passwords. Once per second, the worm examines the currently-open [window] and looks for a title containing any of the following as the first three characters: LOG, PAS, REM, CON, TER, and NET. This enables it to detect windows related to logons, passwords, remote connections, connections, [terminal]s, and [network]s. It also looks for [Cyrillic] versions of these same words. If any are found, key logging is enabled for sixty seconds; every thirty seconds the log file is sent to one of twenty-two listed e-mail addresses, including some at yahoo.com, rambler.ru, excite.com, and other [domain]s.
<P>
The worm distributes itself through e-mail, usually with the [subject] "Re:." It creates an attachment with one of the following names: PICS, IMAGES, [README], New_[Napster]_Site, NEWS_DOC, HAMSTER, YOU_ARE_FAT!, SEARCHURL, [SETUP], CARD, [ME_NUDE], Sorry_about_yesterday, S3MSONG, DOCS, HUMOR, or FUN. The worm then appends two extensions. The first will be one of [.doc], [.mp3], or [.zip]. The second will be either [.pif] or [.scr]. If the worm finds [SMTP] information on the computer, it will use that for the "From:" field; otherwise it will pick one of fifteen preset fake addresses. It does keep track of the messages it sends, logging them to Protocol.dll in the system folder to prevent multiple e-mails to the same [victim|person]. (At first I thought this was kind of the worm's authors, but then I realized they just don't want [spam] with passwords from the same person repeatedly.)
<P>
The worm takes advantage of the malformed [MIME] in [Microsoft Outlook] to allow the attachment to execute without prompting the user. After mail is sent, the worm adds a value to the [registry] that will allow the worm to run again the next time [Windows] is started.
<P>
BadTrans is not particularly [destructive], and it is easily removed, making it a mere [annoyance]. [Antivirus] software will detect [infected] files, which can be deleted; the registry editor can be navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and the value "Kernel32 kernel32.exe" can be easily removed. Kernel32.exe itself should also be deleted (but not [kernel32.dll], a legitimate Windows file).
<P>
Sources
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.badtrans.b@mm.html
my own encounter with the worm, and subsequent cleanup procedures
