vision2020

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]
[Date Index]	[Thread Index]	[Author Index]	[Subject Index]

badtran

To: "Vision2020 Listserver List" <vision2020@moscow.com>
Subject: badtran
From: "Steve Cooke" <scooke@uidaho.edu>
Date: Wed, 28 Nov 2001 09:05:40 -0800
Importance: Normal
Resent-Date: Wed, 28 Nov 2001 09:06:23 -0800 (PST)
Resent-From: vision2020@moscow.com
Resent-Message-ID: <5KPSJD.A.JNN.nlRB8@whale.fsr.net>
Resent-Sender: vision2020-request@moscow.com

This is what Sophos antivirus software says about Badtrans.
Steve Cooke
W32/Badtrans-A

Memory resident: Yes

This is a worm which uses MAPI to spread. The worm arrives in an email
message with the text "Take a look to the attachment". The attachment
filename is randomly chosen from the list: fun.pif Humor.TXT.pif docs.scr
s3msong.MP3.pif Sorry_about_yesterday.DOC.pif Me_nude.AVI.pif Card.pif
SETUP.pif searchURL.scr YOU_are_FAT!.TXT.pif hamster.ZIP.scr news_doc.scr
New_Napster_Site.DOC.SCR README.TXT.pif images.pif Pics.ZIP.scr If the
attached file is run, it displays the message box "File data corrupt
probably due to bad data transmission or bad disk access." and copies itself
into the Windows directory with the filename INETD.EXE and changes win.ini
so that the file is run at Windows startup. The worm also drops a file
kern32.exe, which is a password stealing Trojan Troj/Keylog-C, into the
Windows system directory and changes the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the Trojan
runs on starting up Windows. A machine running the Trojan is exposed to
unauthorised access attacks by a malicious person running the backdoor
client program.

First reported in April 2001.

Stephen Cooke

Prev by Date: Re: badtrans virus
Next by Date: art opening
Prev by thread: Re: badtrans virus
Next by thread: art opening
Index(es):
- Date
- Thread

Back to TOC