hallo,
was macht dieser virus W32.Badtrans.B@mm. dieser wird mir in den letzten tagen ständig per email zugesendet !!
thx, oeffi
Viren, Spyware, Datenschutz 11.212 Themen, 94.154 Beiträge
HeinBlöd (Anonym) Oeffi „was macht der virus: W32.Badtrans.B@mm“
Hi Oeffi,
die folgende Mail habe ich vom Support meines Virenscanners bekommen, dort steht alles wissenswerte über den Virus und seine Entfernung drin:
CSRT Alert - Medium Risk
=======================
Win32.BadtransII
and Win32.Badtrans.dll
Alias: W32/Badtrans-B, BADTRANS.B, WORM_BADTRANS.B, W32/Badtrans@MM,
W32.Badtrans.B@mm, W32/BadTrans.B-mm
Threat Level: Medium
Platforms: 95, 98, ME, NT, 2000
Updated on: 27 November, 2001
Arrival Form: Email
Type: Win32, Trojan, Worm
Damage: Steal information, Other
-----------------------------------------------------------------------
Analysis
========
Win32.BadTransII is an email spreading vandal which attempts to install a
spying keystroke logger on infected machines and tries to steal access
passwords to connections. When arriving by email this vandal run
automatically by using an Outlook Express exploit known as the X-WAV
exploit. More information about this exploit and a patch is available form
Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bulletin/MS01-020.asp
** eSafe products proactively protect against this exploit even without a
vandal/virus update **
Infection
---------
The arriving email will have a the following format:
From: a list of random email addresses
Subject: random words out of the following list: Humor, fun, docs, info
Body: No body text Attached file: random attached file name with a double
extension. The list of possible names: Pics images New_Napster_Site README
stuff SETUP Card Me_nude Sorry_about_yesterday news_doc HAMSTER
YOU_are_FAT!
The first file extension will be one of the following: .DOC, .ZIP, .MP3
The second extension will be one of the following: .PIF, .SCR
This vandal can also arrive as a reply to an email. In that case the
subject line will begin with Re: and following would be the original
subject line.
It also searches file with the extensions .HT* and .ASP (HTML files) and
sends infected emails to addresses found there. Usually there will be many
such HTML files in the browser cache directories.
Operation
---------
When an infected email is viewed on a system unpatched by Microsoft, the
file is automatically executed and will perform the following:
1. Create a copy of itself under the name KERNEL32.EXE in the Windows
System directory (usually C:\Windows\System).
2. Create a file named KDLL.DLL (detected by eSafe as Win32.Badtrans.dll)
in the Windows System directory. This file is a spying Trojan. It collects
information about the PC including dial-up passwords. It is also a
keystroke logger, collecting all the keyboard entries and the respective
applications. All this information is saved encrypted to a file named
CP_25389.NLS and sent to a predefined email address.
3. To execute itself each time the computer starts, the following registry
entry is added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
kernel32 = "kernel32.exe"
4. Use MAPI to send copies of itself to address book entries as well as
addresses in HTML pages stored locally and as a reply to unread messages.
Removal Instructions
====================
Manual Removal
--------------
1. Find and delete the files: KERNEL32.EXE and CP_25389.NLS
2. Using Regedit.exe, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = "kernel32.exe". Delete the
registry value kernel32.
3. Disable email previewing in Outlook Express. Delete all email messages
that correspond the descriptions above.
