Kaspersky Threats — BadtransII

Class

Platform

Description

Technical Details

This is a worm that spreads under Win32 systems. The virus sends e-mail messages
with infected files attached, as well as installs a spying Trojan component
to steal information from infected systems. The worm was discovered
in-the-wild in November 2001.

The worm itself is a Win32 executable file (PE EXE file). It was found
in-the-wild in compressed form, and is about 29Kb in size. Upon being
decompressed, the worm file length becomes about 60Kb in size.

The worm consists of two main components, the Worm and Trojan. The “Worm”
component sends infected messages, and the “Trojan” component sends out
information (user’s info, RAS data, cached passwords, keyboard log) from
infected computers to a specified e-mail address. It also keeps a “keylogger”
program body in its code, and installs it into the system while infecting a new
machine.

Infecting the system

When an infected file is run (when a user clicks on an attached file and
activates it, or if the worm gains control through an IFRAME security breach),
the worm code gains control. First of all, it drops (installs)
its components to the system and registers in the system registry.

The installed Trojan file-name, the target directory and registry key are
optional. They are stored in encrypted form in the Trojan file at the file end.
A hacker may configure them before sending them to a victim’s machine, or
before putting it on a Web site.

The worm also drops an additional keyboard hooker (Win32 DLL file) to the system,
and then uses this to spy on text entered by a keyboard. The DLL file name is
optional as well.

Other optional features are:

– the worm deletes original infected file when installation is complete
– the size of keyboard log file

Spreading

To send infected messages, the worm uses a direct connection to an SMTP server.
A victim’s e-mail addresses are obtained in two different ways:

#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box,
and obtains e-mail addresses from here.

Next, the worm sends infected messages. The message body contains HTML format, and
uses an IFRAME breach to spawn an infected attachment on vulnerable machines.

The message fields are as follows:

From: – original sender, or fake address, randomly selected from:

” Anna”
“JUDY”
“Rita Tulliani” “Tina”
“Kelly Andersen”

” Andy”
“Linda”
“Mon S”
“Joanna”
“JESSICA BENAVIDES”
” Administrator”
” Admin”
“Support”
“Monika Prado”
“Mary L. Adams”
” Anna” “JUDY”
“Tina”

The original sender address is a bit modified: the “_” character is inserted
before the e-mail address in there, for example:

“John K. Smith” “Vasja Pupkin” – original address

“John K. Smith” <_john123@yahoo.com> “Vasja Pupkin” <_vasyap@rambler.ru> – sent by worm
Subject: empty, or “Re:”, or “Re:” followed by original Subject from real
Inbox messsage (see #2 above)

Body: empty

Attachment: randomly selected “filename + ext1 + ext2” where:
“Filename”:
 Pics      (or PICS )                  Card     (or CARD)
 images    (or IMAGES)                 Me_nude  (or ME_NUDE)
 README                                Sorry_about_yesterday
 New_Napster_Site                      info
 news_doc  (or NEWS_DOC)               docs   (or DOCS)
 HAMSTER                               Humor  (or HUMOR)
 YOU_are_FAT! (or YOU_ARE_FAT!)        fun    (or FUN)
 stuff                                 SEARCHURL
 SETUP                                 S3MSONG

 "ext1": .DOC .ZIP .MP3
 "ext2":  .scr, .pif
For example: “info.DOC.scr”

The worm doesn’t send infected messages twice to the same address. To do this,
it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL
file, and checks this file content before sending a new message.

Spying Trojan

This routine stores stolen information to a log file (with an optional name), and
encrypts this information with a key (also optional). After a period of time, this
information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and
these messages are sent through (email + server):

 ZVDOHYIK@yahoo.com               mx2.mail.yahoo.com
 udtzqccc@yahoo.com               mx2.mail.yahoo.com
 DTCELACB@yahoo.com               mx2.mail.yahoo.com
 I1MCH2TH@yahoo.com               mx2.mail.yahoo.com
 WPADJQ12@yahoo.com               mx2.mail.yahoo.com
 fjshd@rambler.ru                 mail5.rambler.ru
 smr@eurosport.com                mail.ifrance.com
 bgnd2@canada.com                 mail.canada.com
 muwripa@fairesuivre.com          fs.cpio.com
 rmxqpey@latemodels.com           inbound.latemodels.com.criticalpath.net
 eccles@ballsy.net                inbound.ballsy.net.criticalpath.net
 suck_my_prick@ijustgotfired.com  mail.monkeybrains.net
 suck_my_prick4@ukr.net           mail.ukr.net
 thisisno_fucking_good@usa.com    usa-com.mr.outblaze.com
 S_Mentis@mail-x-change.com       mail-fwd.rapidsite.net
 YJPFJTGZ@excite.com              mta.excite.com
 JGQZCD@excite.com                mta.excite.com
 XHZJ3@excite.com                 mta.excite.com
 OZUNYLRL@excite.com              mta.excite.com
 tsnlqd@excite.com                mta.excite.com
 cxkawog@krovatka.net             imap.front.ru
 ssdn@myrealbox.com               smtp.myrealbox.com

Found In-The-Wild

This worm variant found in-the-wild on November 24, 2001 has the following
options:

It installs itself to a Windows system directory with the KERNEL32.EXE name, and
registers it in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
Kernel32 = kernel32.exe

It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system
directory with the CP_25389.NLS name.

Class	Email-Worm
Platform	Win32
Description	Technical Details This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected files attached, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild in November 2001. The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is about 29Kb in size. Upon being decompressed, the worm file length becomes about 60Kb in size. The worm consists of two main components, the Worm and Trojan. The “Worm” component sends infected messages, and the “Trojan” component sends out information (user’s info, RAS data, cached passwords, keyboard log) from infected computers to a specified e-mail address. It also keeps a “keylogger” program body in its code, and installs it into the system while infecting a new machine. Infecting the system When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gains control through an IFRAME security breach), the worm code gains control. First of all, it drops (installs) its components to the system and registers in the system registry. The installed Trojan file-name, the target directory and registry key are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending them to a victim’s machine, or before putting it on a Web site. The worm also drops an additional keyboard hooker (Win32 DLL file) to the system, and then uses this to spy on text entered by a keyboard. The DLL file name is optional as well. Other optional features are: – the worm deletes original infected file when installation is complete – the size of keyboard log file Spreading To send infected messages, the worm uses a direct connection to an SMTP server. A victim’s e-mail addresses are obtained in two different ways: #1. The worm scans .HT and .ASP files and extracts e-mail addresses from here #2. The worm, using MAPI functions, reads all e-mail from the incoming box, and obtains e-mail addresses from here. Next, the worm sends infected messages. The message body contains HTML format, and uses an IFRAME breach to spawn an infected attachment on vulnerable machines. The message fields are as follows: From: – original sender, or fake address, randomly selected from: ” Anna” “JUDY” “Rita Tulliani” “Tina” “Kelly Andersen” ” Andy” “Linda” “Mon S” “Joanna” “JESSICA BENAVIDES” ” Administrator” ” Admin” “Support” “Monika Prado” “Mary L. Adams” ” Anna” “JUDY” “Tina” The original sender address is a bit modified: the “_” character is inserted before the e-mail address in there, for example: “John K. Smith” “Vasja Pupkin” – original address “John K. Smith” <_john123@yahoo.com> “Vasja Pupkin” <_vasyap@rambler.ru> – sent by worm Subject: empty, or “Re:”, or “Re:” followed by original Subject from real Inbox messsage (see #2 above) Body: empty Attachment: randomly selected “filename + ext1 + ext2” where: “Filename”: Pics (or PICS ) Card (or CARD) images (or IMAGES) Me_nude (or ME_NUDE) README Sorry_about_yesterday New_Napster_Site info news_doc (or NEWS_DOC) docs (or DOCS) HAMSTER Humor (or HUMOR) YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN) stuff SEARCHURL SETUP S3MSONG "ext1": .DOC .ZIP .MP3 "ext2": .scr, .pif For example: “info.DOC.scr” The worm doesn’t send infected messages twice to the same address. To do this, it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL file, and checks this file content before sending a new message. Spying Trojan* This routine stores stolen information to a log file (with an optional name), and encrypts this information with a key (also optional). After a period of time, this information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and these messages are sent through (email + server): ZVDOHYIK@yahoo.com mx2.mail.yahoo.com udtzqccc@yahoo.com mx2.mail.yahoo.com DTCELACB@yahoo.com mx2.mail.yahoo.com I1MCH2TH@yahoo.com mx2.mail.yahoo.com WPADJQ12@yahoo.com mx2.mail.yahoo.com fjshd@rambler.ru mail5.rambler.ru smr@eurosport.com mail.ifrance.com bgnd2@canada.com mail.canada.com muwripa@fairesuivre.com fs.cpio.com rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net eccles@ballsy.net inbound.ballsy.net.criticalpath.net suck_my_prick@ijustgotfired.com mail.monkeybrains.net suck_my_prick4@ukr.net mail.ukr.net thisisno_fucking_good@usa.com usa-com.mr.outblaze.com S_Mentis@mail-x-change.com mail-fwd.rapidsite.net YJPFJTGZ@excite.com mta.excite.com JGQZCD@excite.com mta.excite.com XHZJ3@excite.com mta.excite.com OZUNYLRL@excite.com mta.excite.com tsnlqd@excite.com mta.excite.com cxkawog@krovatka.net imap.front.ru ssdn@myrealbox.com smtp.myrealbox.com Found In-The-Wild This worm variant found in-the-wild on November 24, 2001 has the following options: It installs itself to a Windows system directory with the KERNEL32.EXE name, and registers it in the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Kernel32 = kernel32.exe It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system directory with the CP_25389.NLS name.

Email-Worm.Win32.BadtransII

Technical Details