Computer upgrades, repairs, troubleshooting and consulting services. Products, virus and malware alerts FAQs and VFaqs.

 

The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

CpuCare.com Home PageBusiness to Business Contact

Virus and Malware Alerts

 

We Build the Best & Repair the Rest! ©

 

Alerts November 2001

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Alerts 2000 Alerts January 2001 Alerts February 2001 Alerts March 2001 Alerts April 2001 Alerts May 2001 Alerts June 2001 Alerts July 2001 Alerts August 2001 Alerts September 2001 Alerts October 2001 Alerts November 2001 Alerts December 2001

 

 

 

 

Top 10 malware reported to Sophos in November 2001

Position Last
month		 Malware Percentage of reports
1 New W32/Badtrans-B
   22.2%
2 2 W32/Nimda-A
   10.5%
3 3 W32/Magistr-B
   10.2%
4 New W32/Nimda-D
   9.9%
5 1 W32/Sircam-A
   8.8%
6 4 W32/Magistr-A
   6.6%
7 5 W32/Hybris-B
   4.4%
8 6 VBS/Kakworm
   1.9%
9 Re-entry W32/Aliz-A
   1.6%
10 10 VBS/Haptime-A
   1.2%
Others 22.7%

 

 

This section helps you to understand how it behaves
W32/Badtrans-B is an email-aware worm which uses MAPI to spread. The worm forwards itself to addresses found on the infected computer as an email message with no message text.

The worm finds addresses to send itself to by searching the address book. Additionally it searches the internet cache and "My Documents" folders for web pages, looking for further email addresses to which to send itself.

If the worm is replying to mail found on the infected machine, it will use the infected user's address in the From: field of the email, otherwise it will use one of the following addresses in the From: field:

" Anna" <aizzo@home.com>
"JUDY" <JUJUB271@AOL.COM>
"Rita Tulliani" <powerpuff@videotron.ca>
"Tina" <tina0828@yahoo.com>
"Kelly Andersen" <Gravity49@aol.com>
" Andy" <andy@hweb-media.com>
"Linda" <lgonzal@hotmail.com>
"Mon S" <spiderroll@hotmail.com>
"Joanna" <joanna@mail.utexas.edu>
"JESSICA BENAVIDES" <jessica@aol.com>
" Administrator" <administrator@border.net>
" Admin" <admin@gte.net>
"Support" <support@cyberramp.net>
"Monika Prado" <monika@telia.com>
"Mary L. Adams" <mary@c-com.net>

The email uses a known exploit in certain versions of Outlook Express 5 in order to launch the attached file automatically. Microsoft has released a patch which reportedly addresses this vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

The worm generates a subject line by reading email on the infected machine and "replying" to it. For instance,

Re: <subject found by reading mail on infected machine>

For email addresses found via web pages in the internet cache or the "My Documents" folder, the subject line is simply "Re:" with no further text.

The worm attempts to create a name for the attached infected file by randomly generating it from three separate parts. The first part is taken from the list:

CARD
DOCS
FUN
HAMSTER
NEWS_DOC
HUMOR
IMAGES
info
ME_NUDE
New_Napster_Site
PICS
README
S3MSONG
SEARCHURL
SETUP
Sorry_about_yesterday
stuff
YOU_ARE_FAT!

The second from the list:

.DOC.
.MP3.
.ZIP.

(a bug inside the worm means that it never selects the ".ZIP." option)

and the last from:

pif
scr

For this reason the attached file can be called a large number of different names, including:

card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.PIF
Humor.MP3.scr
IMAGES.DOC.pif
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
Sorry_about_yesterday.MP3.scr
stuff.MP3.pif
YOU_ARE_FAT!.DOC.pif
YOU_are_FAT!.MP3.scr

If the attached file is run it may copy itself to the Windows or Windows system directory with the filename kernel32.exe and change the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the worm runs the next time Windows is started. Note that the registry key will refer to the original attachment if the worm has not created a copy in the Windows or Windows system directories.

The worm also drops a file named kdll.dll, which is the Troj/PWS-AV password-stealing Trojan horse.

W32/Badtrans-B uses the Trojan Troj/PWS-AV to log a user's keystrokes in a file named cp_25389.nls in the Windows system directory. The log of keystrokes may be encrypted.

W32/Badtrans-B will attempt to send the log to one of the following email addresses:

ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
fjshd@rambler.ru
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
rmxqpey@latemodels.com
eccles@ballsy.net
suck_my_prick@ijustgotfired.com
suck_my_prick4@ukr.net
thisisno_fucking_good@usa.com
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com

 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next