Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Badtrans.A@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 14 Apr 2001 03:00:00
Description created 23 Nov 2001 03:00:00
Description updated 23 Nov 2001 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Badtrans.A@mm

Spreading

When the worm is run, it will show the messagebox below:


(Image not available)

It will also copy itself to the Windows directory under the name of INETD.EXE, and add an entry to WIN.INI to run this file on startup. When the machine is booted next time, the worm will attempt to use MAPI services to mail itself as a reply to all unread messages in the Outlook folders.

The attachment names will be selected at random between one of the following:

fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.scr
README.TXT.pif
images.pif
Pics.ZIP.scr

Payload Details

The worms creates a file called HKK32.EXE in the Windows directory and starts this.The HKK32 file will in turn create a file called KERN32.EXE, a password stealing trojan, which is placed in the Windows system directory and started. The KERN32.EXE file will again delete the HKK32.EXE file and install itself in the Registry under the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Key. This trojan enables the author to get hold of confidential information from compromised systems.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14