F-Secure Virus Descriptions : BadTrans
|
|
|
Information about W95/Badtrans.B@mm found in the wild at November
24th, 2001, is available at:
http://www.Europe.F-Secure.com/v-descs/badtrs_b.shtml
BadTrans is a worm spreading with e-mail messages from Win32
systems. The worm sends email messages with infected attached
files, as well as installs a spying trojan component to steal
information from infected systems. The worm was discovered
in-the-wild on April 12 2001.
The worm itself is Win32 executable file (PE EXE file). It was
found in-the-wild in a compressed form, and is about 13Kb long.
Being decompressed the worm's file length increases to about
40Kb.
The worm has a multi-component structure. It consists of two
different components that are dropped on a hard disk as three
different files and are run as stand-alone programs (email Worm
and Trojan). The worm routine is the main component, it keeps
trojan program body in its code and installs it into a system
while infecting a new machine.
The worm component operates similar to I-Worm.ZippedFiles (aka
ExploreZip) worm: by using Windows MAPI functions it gets access
to Inbox and "answers" all unread messages. This routine has a
bug and may cause transport overload (see below).
The trojan component itself is a variant of already known
passwords-stealing trojan (see Trojan.PSW.Hooker). It sends
information from infected computers to the email address:
ld8dl1@mailandnews.com
When an infected file is run (when a user clicks on attached file
and activates it) the worm code gets control. First of all it
drops (installs) its components to the system. The worm copies
itself to Windows directory with INETD.EXE name and drops the
trojan component to Windows directory with HKK32.EXE name. The
trojan component is executed then, it moves itself to Windows
system directory with KERN32.EXE name, drops an additional
library (key logger) with HKSDLL.DLL name.
The worm then registers itself (the INETD.EXE file) in auto-run
sections in the system. Under Win9x it writes "run=" command to
[windows] section to WIN.INI file, for example:
[windows]
load=
run=C:\WINDOWS\INETD.EXE
Under WinNT/2000 the following registry key is created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN = C:\WINDOWS\INETD.EXE
The trojan registers itself in the Registry in RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Because this is "run once" key, the trojan on each start rewrites
it, and keeps Windows loading trojan file on each restart.
To hide its activity when installation into a new machine is
complete the worm displays the fake message and exits:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
It looks like that:
The worm does not send any messages out of infected machine at
first start, it does that on next Windows restarts instead. The
spreading routine is activated on next Windows restart when the
worm copy is activated from INETD.EXE file (this file is run
automatically because it is referred from "run" key in WIN.INI
file or system registry).
The worm registers itself as hidden (service) process, and sleeps
for about 5 minutes before activating its spreading routine.
While spreading the worm gets access to Windows MAPI functions,
opens and reads all unread messages, "answers" on them with
infected messages. The worm does not terminate, and is active
till Windows restart, and sends infected message each time a new
message arrives.
The infected message has text and attached file. Attached file
name is randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in worm messages is the same as in original
message with prepended "Re:" prefix.
The message body is a "reply" to the original message. For
example, if original message is sent from "John Doe" and has two
lines like:
message line1
message line2
the worm will reply with the following text then:
'John Doe' wrote:
====
- message line1
- message line2
> Take a look to the attachment.
If a message has no body (empty message), the worm's "reply" has
just one line:
> Take a look to the attachment.
The worm uses a trick to avoid answering the same email twice or
more times, and to avoid answering its own messages received from
other infected machines. To do that the worm adds two spaces to
the end of Subject line, and does not process (reply to) such
messages.
This "two-spaces" protection works for messages that are already
"answered", and worm does not reply to these messages. However,
this protection doesn't work for messages that are received from
other infected computers. Some email servers (or most of them)
simply cut all spaces at the end of Subject line (according to
RFC-822 email messages standard).
As a result if an infected message comes to already infected
machine it is immediately answered by worm and sent back. So the
worm initiates the "looped" traffic with endless number of
infected messages.
Depending on installed email client the worm also fails to mark
"answered" messages. As a result the worm answers all unread
messages ("true" ones and its own messages) in endless loop, and
number of sent and received messages grows up to several thousand
within a minute.
Therefore, the worm can cause email server crash because soon it
will not be capable to process all these messages.
[F-Secure Corporation and Kaspersky Lab, November 24, 2001]
|
