Geschrieben von S. am 27. November 2001 13:39:23:
Als Antwort auf: Re: Ich habe euch keine mails geschrieben.... geschrieben von Pleff am 27. November 2001 10:03:51:
CSRT Alert - Medium Risk
=======================
Win32.BadtransII
and Win32.Badtrans.dll
Alias: W32/Badtrans-B, BADTRANS.B, WORM_BADTRANS.B, W32/Badtrans@MM,
W32.Badtrans.B@mm, W32/BadTrans.B-mm
Threat Level: Medium
Platforms: 95, 98, ME, NT, 2000
Updated on: 27 November, 2001
Arrival Form: Email
Type: Win32, Trojan, Worm
Damage: Steal information, Other
Analysis
========
Win32.BadTransII is an email spreading vandal which attempts to install a
spying keystroke logger on infected machines and tries to steal access
passwords to connections. When arriving by email this vandal run
automatically by using an Outlook Express exploit known as the X-WAV
exploit.
More information about this exploit and a patch is available form
Microsoft:
www.microsoft.com/technet/treeview/defau...ulletin/MS01-020.asp
** eSafe products proactively protect against this exploit even without a
vandal/virus update **
Infection
The arriving email will have a the following format:
From: a list of random email addresses
Subject: random words out of the following list: Humor, fun, docs, info
Body: No body text
Attached file: random attached file name with a double extension.
The list of possible names:
Pics
images
New_Napster_Site
README
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
news_doc
HAMSTER
YOU_are_FAT!
The first file extension will be one of the following: .DOC, .ZIP, .MP3
The second extension will be one of the following: .PIF, .SCR
This vandal can also arrive as a reply to an email. In that case the
subject line will begin with Re: and following would be the original
subject line.
It also searches file with the extensions .HT* and .ASP (HTML files) and
sends infected emails to addresses found there. Usually there will be many
such HTML files in the browser cache directories.
Operation
When an infected email is viewed on a system unpatched by Microsoft, the
file is automatically executed and will perform the following:
1. Create a copy of itself under the name KERNEL32.EXE in the Windows
System directory (usually C:\Windows\System).
2. Create a file named KDLL.DLL (detected by eSafe as Win32.Badtrans.dll)
in the Windows System directory. This file is a spying Trojan. It collects
information about the PC including dial-up passwords. It is also a
keystroke logger, collecting all the keyboard entries and the respective
applications. All this information is saved encrypted to a file named
CP_25389.NLS and sent to a predefined email address.
3. To execute itself each time the computer starts, the following registry
entry is added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
kernel32 = "kernel32.exe"
4. Use MAPI to send copies of itself to address book entries as well as
addresses in HTML pages stored locally and as a reply to unread messages.
Removal Instructions
====================
Manual Removal
1. Find and delete the files: KERNEL32.EXE and CP_25389.NLS
2. Using Regedit.exe, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = "kernel32.exe". Delete the
registry value kernel32.
3. Disable email previewing in Outlook Express. Delete all email messages
that correspond the descriptions above.
Cleaning Utility
An cleaning utility is available from
ftp://ftp.ealaddin.com/pub/utils/eclean.exe
eSafe Users
eSafe Desktop and Enterprise are protected by the Sandbox II and Sytstem
Protector. All eSafe products detect and block the X-WAV exploit.
It is also recommended to block attached files with the extensions .PIF and
.SCR. For more information about blocking dangerous file types see the link
www.ealaddin.com/home/csrt/protgate_mail.asp.
A new vandal/virus update is available.
eSafe Enterprise, Desktop, Gateway 2.1: An update is available from here:
ftp://ftp.esafe.com/pub/updates/oxrupdinc.exe
Note to eSafe Gateway 2.1 users:
Support for Gateway 2.1 will be terminated on December 31, 2001. Please
contact your local reseller to upgrade to the latest version of eSafe
Gateway 3.0. More information about version 3 can be found here:
www.esafe.com/esafe/gateway/
eSafe Gateway 3.x and eSafe Mail: Users can use the "Update now" option
from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial
versions are available from:
www.ealaddin.com/esafe
******************************* IMPORTANT ! **********************************
The content of this email and any attachments are confidential and intended
for the named recipient(s) only.
If you have received this email in error please notify the sender immediately.
Do not disclose the content of this message or make copies.
This email was scanned by eSafe Mail for viruses, vandals and other
malicious content.
******************************************************************************
(