(thing) by etoile Wed Nov 28 2001 at 21:42:20
W32.Badtrans.B@mm

A worm that uses MAPI commands to e-mail itself out using different file names. It also creates a keylogger to detect passwords and e-mails those to an address.

The worm is 29,020 bytes. It arrives as an e-mail with an attachment that will have two extensions. When first executed, it copies itself to the system folder as Kernel32.exe, and on Windows 95 or 98 and Windows Me it also registers itself as a service process. It generates a file called Kdll.dll that contains code to log keystrokes.

The keystroke logging is specifically to trap passwords. Once per second, the worm examines the currently-open window and looks for a title containing any of the following as the first three characters: LOG, PAS, REM, CON, TER, and NET. This enables it to detect windows related to logons, passwords, remote connections, connections, terminals, and networks. It also looks for Cyrillic versions of these same words. If any are found, key logging is enabled for sixty seconds; every thirty seconds the log file is sent to one of twenty-two listed e-mail addresses, including some at yahoo.com, rambler.ru, excite.com, and other domains.

The worm distributes itself through e-mail, usually with the subject "Re:." It creates an attachment with one of the following names: PICS, IMAGES, README, New_Napster_Site, NEWS_DOC, HAMSTER, YOU_ARE_FAT!, SEARCHURL, SETUP, CARD, ME_NUDE, Sorry_about_yesterday, S3MSONG, DOCS, HUMOR, or FUN. The worm then appends two extensions. The first will be one of .doc, .mp3, or .zip. The second will be either .pif or .scr. If the worm finds SMTP information on the computer, it will use that for the "From:" field; otherwise it will pick one of fifteen preset fake addresses. It does keep track of the messages it sends, logging them to Protocol.dll in the system folder to prevent multiple e-mails to the same person. (At first I thought this was kind of the worm's authors, but then I realized they just don't want spam with passwords from the same person repeatedly.)

The worm takes advantage of the malformed MIME in Microsoft Outlook to allow the attachment to execute without prompting the user. After mail is sent, the worm adds a value to the registry that will allow the worm to run again the next time Windows is started.

BadTrans is not particularly destructive, and it is easily removed, making it a mere annoyance. Antivirus software will detect infected files, which can be deleted; the registry editor can be navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and the value "Kernel32 kernel32.exe" can be easily removed. Kernel32.exe itself should also be deleted (but not kernel32.dll, a legitimate Windows file).

Sources
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.badtrans.b@mm.html
my own encounter with the worm, and subsequent cleanup procedures

I like it!

Log in or register to write something here or to contact authors.