IMPORTANT: Virus information

Max Louwerse mlouwers at MEMPHIS.EDU
Tue Jan 29 21:15:44 UTC 2002 

Dear all,

The DISCOURSE list seems to be distributing many viruses lately. I have
received at least four now, and I have contacted the persons who 'sent'
them.

If you are using Microsoft Outlook or Outlook Express, the current virus (or
actually worm) will automatically attach itself to any addresses in your
address book. It will then automatically select a part of a random document
from your hard disk and send it to anybody in your address book. The result
is that the virus (worm) keeps spreading around.

My strong recommendation would be to get an updated anti-virus program
(Norton Anti-Virus for instance), who picks up these viruses and worms
immediately. Getting such a program doesn't only help yourself (your
computer will not be infected, random files will not be sent to people) but
also others, particularly those that are subscribed to a list.

If you need further information (see  also
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.ht
ml), please don't hesitate to contact me.

Best regards,

Max Louwerse.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Information on current virus
(http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.h
tml)

This worm arrives as an email with one of several attachment names and a
combination of two appended extensions. It contains a set of bits that
control its behavior:
001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)

NOTE: If Norton AntiVirus detects this in an email message as
W32.Badtrans.B at mm.enc (not as W32.Badtrans.B at mm), this is the detection for
the MIME-encoded exploit in the body of the email, and it is harmless as
long as the attachment has been deleted. We recommend that you delete
messages detected as W32.Badtrans.B at mm.enc and notify the person who sent it
to you. We also strongly recommend that you run a full system scan to make
sure that no other infection exists.

For additional information on .enc detections, read the document What is an
.enc detection?

When it is first executed, it copies itself to %System% or %Windows% as
Kernel32.exe, based on the control bits. Then it registers itself as a
service process (Windows 9x/Me only). It creates the key log file
%System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key
logging code.

NOTE: %Windows% and %System% are variables. The worm locates the \Windows
folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by
default this is C:\Windows\System or C:\Winnt\System32) and copies itself to
that location.

A timer is used to examine the currently open window once per second and to
check for a window title that contains any of the following as the first
three characters:

LOG
PAS
REM
CON
TER
NET

These texts form the start of the words LOGon, PASsword, REMote, CONnection,
TERminal, NETwork. There are also Russian versions of these same words in
the list. If any of these words are found, then the key logging is enabled
for 60 seconds. Every 30 seconds, the log file and the cached passwords are
sent to one of these addresses or some others which are currently not
operational:
ZVDOHYIK at yahoo.com
udtzqccc at yahoo.com
DTCELACB at yahoo.com
I1MCH2TH at yahoo.com
WPADJQ12 at yahoo.com
smr at eurosport.com
bgnd2 at canada.com
muwripa at fairesuivre.com
eccles at ballsy.net
S_Mentis at mail-x-change.com
YJPFJTGZ at excite.com
JGQZCD at excite.com
XHZJ3 at excite.com
OZUNYLRL at excite.com
tsnlqd at excite.com
cxkawog at krovatka.net
ssdn at myrealbox.com

After 20 seconds, the worm shuts down if the appropriate control bit is set.

If RAS support is present on the computer, then the worm waits for an active
RAS connection. When such a connection is made, with a 33-percent chance,
the worm searches for email addresses in *.ht* and *.asp in %Personal% and
Internet Explorer %Cache%. If it finds addresses in these files, then it
sends mail to those addresses using the victim's SMTP server. If this server
is unavailable, the worm will choose from a list of its own. The attachment
name will be one of the following:
Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun

In all cases, MAPI will also be used to find unread mail to which the worm
will reply. The subject will be "Re:". In that case, the attachment name
will be one of the following:
PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN

In all cases, the worm appends two extensions. The first is one of the
following:
.doc
.mp3
.zip

The second extension that is appended to the file name is one of the
following:
.pif
.scr

The resulting file name would look similar to CARD.doc.pif or
NEWS_DOC.mp3.scr.

If SMTP information can be found on the computer, then it will be used for
the From: field. Otherwise, the From: field will be one of these:
"Mary L. Adams" <mary at c-com.net>
"Monika Prado" <monika at telia.com>
"Support" <support at cyberramp.net>
" Admin" <admin at gte.net>
" Administrator" <administrator at border.net>
"JESSICA BENAVIDES" <jessica at aol.com>
"Joanna" <joanna at mail.utexas.edu>
"Mon S" <spiderroll at hotmail.com>
"Linda" <lgonzal at hotmail.com>
" Andy" <andy at hweb-media.com>
"Kelly Andersen" <Gravity49 at aol.com>
"Tina" <tina0828 at yahoo.com>
"Rita Tulliani" <powerpuff at videotron.ca>
"JUDY" <JUJUB271 at AOL.COM>
" Anna" <aizzo at home.com>

Email messages use the malformed MIME exploit to allow the attachment to
execute in Microsoft Outlook without prompting. For information on this, go
to:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm writes email addresses to the %System%\Protocol.dll file to prevent
multiple emails to the same person. Additionally, the underscore ( _ )
character is prepended to the sender's email address, which prevents
replying to infected mails to warn the sender (for example, user at website.com
becomes _user at website.com).

After sending the mail, the worm adds the value

Kernel32   kernel32.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

This causes the worm to run the next time that you start Windows. This value
can differ based on the control bits mentioned previously.


Removal instructions:

The preferred way to remove this worm is to use the W32.Badtrans.B at mm
Removal Tool. If for any reason you cannot obtain the tool, you must remove
the worm manually.

Manual removal

An online tutorial on how to manually remove W32.Badtrans.B at mm is available
here.

To remove this worm manually, you must first remove the worm files and then
reverse the change that it made to the registry.

Remove the worm files
Follow the instructions for your version of Windows.

Windows 95/98/Me/2000/XP
Because the worm file may be in use, you must in most cases restart in Safe
mode before Norton AntiVirus can delete it.

CAUTION: For Windows Me users only. If you are running Windows Me, follow
the instructions in the section System Restore option in Windows Me that is
located at the end of this document before you begin the removal procedure.


1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Restart the computer in Safe Mode. For instructions on how to do this,
read the document for your operating system:
How to restart Windows 9x or Windows Me in Safe mode.
How to start Windows 2000 in Safe mode.
How to start Windows XP in Safe Mode.
3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
4. Run a full system scan.
5. Write down the names of any files that are detected as W32.Badtrans.B at mm,
and then delete them.
6. When the scan is finished, go on to the section Edit the registry.

Windows NT
Because the worm file may be in use, you must in most cases End Process on
it before Norton AntiVirus can delete it.
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Press Ctrl+Alt+Delete one time.
3. Click Task Manager.
4. Click the Processes tab.
5. Click the "Image Name" column header two times to sort the processes
alphabetically.
6. Scroll through the list and look for Kernel32.exe. If you find the file,
click it and then click End Process.
7. Close the Task Manager.
8. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
9. Run a full system scan.
10. Write down the names of any files that are detected as
W32.Badtrans.B at mm, and then delete them.
11. When the scan is finished, go on to the section Edit the registry.

Edit the registry:

CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up the
Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

4. In the right pane, delete the following value:

Kernel32   kernel32.exe

CAUTION: The reference to Kernel32 is the most common value that is added by
the worm, but it is not the only one possible. In some cases, it may not be
there. In addition to looking for and deleting this value, you must also
look for values that refer to any file names that were detected as infected
by this worm when you ran the full system scan. All such values must be
deleted.

5. Click Registry, and then click Exit.
6. Restart the computer.
7. To make sure that all files have been removed, start Norton AntiVirus and
run another full system scan.



Additional information:

Prevention

Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted.


________________________________________
 Dr. Max Louwerse
 Department of Psychology
 University of Memphis
 Psychology Building
 Memphis TN 38152
 USA

 phone: (901) 678-2143
 fax:   (901) 678-2579

 email: mlouwers at memphis.edu / max at mail.psyc.memphis.edu

 http://www.psyc.memphis.edu/faculty/louwerse
________________________________________

More information about the Discours mailing list