Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Badtrans.B@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Backdoor functionality
Detection files published 24 Nov 2001 03:00:00
Description created 23 Nov 2001 03:00:00
Description updated 26 Feb 2003 03:03:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Badtrans.B@mm

Spreading

The worm uses the Microsoft Mail API to spread itself to addresses it finds in the users address book, web browser cache and in documents in the "My Documents" (or similar in local language) folder. The "From:" address will often have been changed by the worm to have underscore as first letter. Thus, attempting to reply to such an address will normally bounce unless the underscore is removed.The attachment name can consist of one of the following pieces:funHumordocsinfoSorry_about_yesterdayMe_nudeCardSETUPstuffYOU_are_FAT!HAMSTERnews_docNew_Napster_SiteREADMEimagespicsS3MSONGSEARCHURLThe attachment will have double extensions, where the first is either DOC, MP3 or ZIP, and the second is either PIF or SCR.

Payload Details

Installs a keylogging utility, KDLL.DLL, in the Windows system directory. This should not be confused with the file SKDLL.DLL which is an innocent file included in some Windows installations.

Analysis

n/a

Removal

When running on Windows NT, 2000 or XP: Find and stop the KERNEL32.EXE process using task manager. How to do this: Press Ctrl-Alt-Del. Press the "Task Manager" button. Select the "Processes" window. Find the KERNEL32.EXE process, select it and click on "End Process". Start NVC via "Start|Programs|Lumension Virus Control|Lumension Virus Control". Select your hard disk(s) and press "Start scan". When running on Windows 95/98: Boot to DOS and perform a scan using the DOS command line scanner supplied. You will normally find this in the \NORMAN\DOS directory. How to do this: Press "start" on the task bar Select "Shut down..."' Select "Restart the computer in DOS mode" When the computer has started with a DOS prompt: type cd \norman\dos type NVC32X /ALD /CL /U The scanner should now clean up the machine by itself. When running on Windows ME: Windows ME does not have the option to boot to DOS directly. However, this is perfectly possible, but you have to use the emergency startup diskette that normally is supplied with your PC. If you don't have an emergency diskette, make a new one by selecting "Start|Settings|Control Panel|Add/Remove Programs|Startup Disk|Create Disk" Once you have a startup diskette, insert it into the A: drive and restart. The rest of the procedure is identical to the one described for Win 95/98. The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32 may be deleted manually using REGEDIT. However, since the RunOnce key normally is cleared after it's been referenced, it's normally enough to reboot twice to remove it.


Last Updated: 12 Nov 2015 11:06:15