[pmmail-list] Filter for newest virus

Dave Hathaway pmmail-list@blueprintsoftwareworks.com
Tue, 27 Nov 2001 08:47:24 -0600 

On Tue, 27 Nov 2001 06:24:05 -0800, Kenneth Porter wrote:

>http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.
b@m
>m.html
>
>Anyone got a filter for this? I'm seeing it weighing in at about 40k
>for each message, and no body, just the attachments. I'm thinking
>something like subject of "Re:", empty body, and size from 38k to 42k
>(to allow for variation in headers).

On the theory that more sources of information is better, this is 
from:

http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2608

A new variant of Badtrans has been discovered, referred to as 
Badtrans.b. AVERT has raised the Risk Assessment on this variant of 
W32/Badtrans@MM to High Risk for Consumers. We have received many 
reports from the home users that they have become infected. It is 
believed that failure to update recently has caused this increase in 
occurrence. 
VirusScan and other McAfee products with DAT files 4172 and higher are 
protected from this variant. 

W32/Badtrans@MM is a mass-mailing worm that drops a remote-access 
Trojan. The virus arrives via email in Microsoft Outlook and attempts 
to send itself by replying to unread email messages. The email may 
contain the text "Take a look to the attachment" in the message body 
and will contain an attachment that is 13,312 bytes in length. The 
attachment name is created from three sections. 

The first part is chosen from the possibilities:  
fun
Humor
docs
info
Sorry_about_yesterday
Me_nude
Card
SETUP
  stuff
YOU_are_FAT!
HAMSTER
news_doc
New_Napster_Site README
images
Pics  


The second part is chosen from the possibilities:

.DOC.
.MP3.
.ZIP.

and the last part from the possibilities:

pif
scr

This new variant also uses the iframe exploit and incorrect MIME 
header to run automatically on unpatched systems. See Microsoft 
Security Bulletin (MS01-020) for more information and a patch. 

*****

Then, from:
http://vil.mcafee.com/dispVirus.asp?virus_k=99069&

Badtrans.b details: 
When run, this variant copies itself to the WINDOWS SYSTEM directory 
as KERNEL32.EXE and creates a registry run key to load itself at 
startup: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
RunOnce\kernel32=kernel32.exe 

This variant replies to incoming email messages and sends itself to 
email addresses found in "*.asp" and "*.ht*" files. The sender address 
used by the virus when emailing itself to others may be chosen from 
the following list: 
" Anna" <aizzo@home.com>
"JUDY" <JUJUB271@AOL.COM>
"Rita Tulliani" <powerpuff@videotron.ca>
"Tina" <tina0828@yahoo.com>
"Kelly Andersen" <Gravity49@aol.com>
"Andy" <andy@hweb-media.com>
"Linda" <lgonzal@hotmail.com>
"Mon S" <spiderroll@hotmail.com>
"Joanna" <joanna@mail.utexas.edu>
"JESSICA BENAVIDES" <jessica@aol.com>
" Administrator" <administrator@border.net>
" Admin" <admin@gte.net>
"Support"  <support@cyberramp.net>
"Monika Prado" <monika@telia.com>
"Mary L. Adams"  <mary@c-com.net>

Additionally, the virus prepends the return address used with an "_" 
(underscore). Thus replying to an infected message will fail to reach 
the intended recipient. 

The message subject is typically: "Re:" 

The message attachment name is created from three sections. The first 
part is chosen from the possibilities: 

fun 
Humor 
docs 
info 
Sorry_about_yesterday 
Me_nude 
Card 
SETUP 
stuff 
YOU_are_FAT! 
HAMSTER 
news_doc 
New_Napster_Site 
README 
images 
Pics 


The second part is chosen from the possibilities: 
.DOC. 
.MP3. 
.ZIP. 


and the last part from the possibilities: 
pif 
scr 

This new variant uses the iframe exploit and incorrect MIME header to 
run automatically on unpatched systems. See Microsoft Security 
Bulletin (MS01-020) for more information and a patch. 
It also drops a password-stealing trojan (KDLL.DLL), detected as PWS-
AV variant with the 4172 DATs or greater.


*******

HTH,

Dave



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

- pmmail-list - The PMMail Dicussion List ---------------------------
To POST to the list, send your message to:
pmmail-list@blueprintsoftwareworks.com

To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
---------------------------------------------------------------------