copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » AL-2001.17 -- UNIRAS ALERT - W32/Badtrans-B Virus
 

AL-2001.17 -- UNIRAS ALERT - W32/Badtrans-B Virus
Date: 26 November 2001

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.17 -- AUSCERT ALERT
                    UNIRAS ALERT - W32/Badtrans-B Virus
                             26 November 2001

===========================================================================

        AusCERT Alert Summary
        ---------------------

The message included below is an alert published by UNIRAS regarding a new
email virus/worm "W32/Badtrans-B". Although AusCERT has not received any
reports of local infections, the rapid propagation of this virus makes it 
imperative that members disseminate and take action on this information to 
prevent any undesirable activity by this virus within their sites.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


- - - - -----------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Alert Notice - 20/01 dated 25.11.01  Time 07:41
   UNIRAS Alerts are also available from our website at www.uniras.gov.uk
- - - - -----------------------------------------------------------------------------

Title
=====
Malicious Software Report (See Briefing 228/01)
W32/Badtrans-B
Troj/PWS-AV

UNIRAS Comment
==============

There are now clear indications that Badtrans-B is having an impact. A report 
from a member of the UNIRAS community indicates that their mail gateway is stopping 
an increasing number of infected EMails. Messagelabs also report that this virus 
is now No 1 on their hit list. Symantec assess it as medium threat. 

Although a substantial number of infections probably originate from home user 
systems, the business community will become involved as they return to work after 
the weekend. The status of the original UNIRAS briefing has consequently been 
changed to that of an ALERT.

http://www.messagelabs.co.uk/viruseye/
http://www.messagelabs.com/viruseye/report.asp?id=86

Detail
====== 


Name: W32/Badtrans-B
Type: Win32 worm
Date: 24 November 2001

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the January 2002 (3.53) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of
this worm from the wild.

Description:

W32/Badtrans-B is a worm which uses MAPI to spread. The worm
arrives in an email message with no message text. The attachment
filename is randomly generated from three parts. The first part
is taken from the list:

    FUN
    HUMOR
    DOCS
    S3MSONG
    Sorry_about_yesterday
    ME_NUDE
    CARD
    SETUP
    SEARCHURL
    YOU_ARE_FAT!
    HAMSTER NEWS_DOC
    New_Napster_Site
    README
    IMAGES
    PICS

The second from the list:

    .DOC.
    .MP3.
    .ZIP.

and the last from:

    pif
    scr

If the attached file is run, it copies itself into the Windows
system directory with the filename KERNEL32.EXE and changes the
registry key
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce so that
the worm runs the next time Windows is started. The worm also
drops a file named kdll.dll, which is the password stealing
Trojan Troj/PWS-AV.


Download the IDE file from
http://www.sophos.com/downloads/ide/badtranb.ide

Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32badtransb.html

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications


*******************************************************************************

Name: Troj/PWS-AV
Type: Trojan
Date: 24 November 2001

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the January 2002 (3.53) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of
this Trojan from the wild.

Description:

Troj/PWS-AV is dropped by W32/Badtrans-B worm.

The Trojan logs the user's keystrokes in order to gain
privileged information such as passwords.


Download the IDE file from
http://www.sophos.com/downloads/ide/pws-av.ide

Read the analysis at
http://www.sophos.com/virusinfo/analyses/trojpwsav.html

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications

- - - - -----------------------------------------------------------------------------
For additional information or assistance, please contact the UNIRAS HELP 
Desk by telephone or Not Protectively Marked information may be sent via 
EMail to:

uniras@niscc.gov.uk
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686

UNIRAS material is also available from our website at www.uniras.gov.uk 
- - - - -----------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of SOPHOS and Messagelabs
for the information contained in this briefing. 
- - - - -----------------------------------------------------------------------------
This Alert contains the information released by the original author. Some of the 
information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS.  The views and 
opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

UNIRAS shall also accept no responsibility for any errors or omissions 
contained within this alert notice. In particular, UNIRAS shall not be 
liable for any loss or damage whatsoever, arising from or in connection with 
the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- - - - -----------------------------------------------------------------------------
<End of UNIRAS Alert>

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQCVAwUBPACiuopao72zK539AQGYMQP9Gn1EAgvlkMw7Uutd2Ksu1uoTk05pOSr1
JdBimVBPV3Gbu1VOI919P060UuCUbKnUywVOBU3WDUkj/ZM6UpeIjP3Z+85IFFrQ
sn1SmXWi/26DBcp7LPL3HOIuCxSzq2/rKxmBeaMv0nI0JbSoVm22wN+TgirDDrZs
K7z5aPOZB8k=
=rdM5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its   
content.  The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the alert is retrieved directly from the
original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the alert above.  If you have any questions or need further information,
please contact them directly.

Previous advisories, alerts and external security bulletins can be 
retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPAIDryh9+71yA2DNAQFBtwP+JNgORxuGb0y+ruPIDfyAhd8Z+nwsqe/n
V4lCGDP97XcEZUoqNFdfETK5E14yghhm9HOKnTR8v/PCUdFDZKzVcNfuE4auw7y4
/yS2MHwaKaInda2NwuJTSgY3PXHrXBhPc9Jh55TfdexOx1MtqxHreVglZfQGTQsj
8e34pf0FiTc=
=oofK
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=110