Email-Worm.Win32.BadtransII

Class Email-Worm
Platform Win32
Description

Technical Details

This is a worm that spreads under Win32 systems. The virus sends e-mail messages
with infected files attached, as well as installs a spying Trojan component
to steal information from infected systems. The worm was discovered
in-the-wild in November 2001.

The worm itself is a Win32 executable file (PE EXE file). It was found
in-the-wild in compressed form, and is about 29Kb in size. Upon being
decompressed, the worm file length becomes about 60Kb in size.

The worm consists of two main components, the Worm and Trojan. The “Worm”
component sends infected messages, and the “Trojan” component sends out
information (user’s info, RAS data, cached passwords, keyboard log) from
infected computers to a specified e-mail address. It also keeps a “keylogger”
program body in its code, and installs it into the system while infecting a new
machine.

Infecting the system

When an infected file is run (when a user clicks on an attached file and
activates it, or if the worm gains control through an IFRAME security breach),
the worm code gains control. First of all, it drops (installs)
its components to the system and registers in the system registry.

The installed Trojan file-name, the target directory and registry key are
optional. They are stored in encrypted form in the Trojan file at the file end.
A hacker may configure them before sending them to a victim’s machine, or
before putting it on a Web site.

The worm also drops an additional keyboard hooker (Win32 DLL file) to the system,
and then uses this to spy on text entered by a keyboard. The DLL file name is
optional as well.

Other optional features are:

– the worm deletes original infected file when installation is complete
– the size of keyboard log file

Spreading

To send infected messages, the worm uses a direct connection to an SMTP server.
A victim’s e-mail addresses are obtained in two different ways:

#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box,
and obtains e-mail addresses from here.

Next, the worm sends infected messages. The message body contains HTML format, and
uses an IFRAME breach to spawn an infected attachment on vulnerable machines.

The message fields are as follows:

From: – original sender, or fake address, randomly selected from:

” Anna”
“JUDY”
“Rita Tulliani” “Tina”
“Kelly Andersen”

” Andy”
“Linda”
“Mon S”
“Joanna”
“JESSICA BENAVIDES”
” Administrator”
” Admin”
“Support”
“Monika Prado”
“Mary L. Adams”
” Anna” “JUDY”
“Tina”

The original sender address is a bit modified: the “_” character is inserted
before the e-mail address in there, for example:

“John K. Smith” “Vasja Pupkin” – original address

“John K. Smith” <_john123@yahoo.com> “Vasja Pupkin” <_vasyap@rambler.ru> – sent by worm

Subject: empty, or “Re:”, or “Re:” followed by original Subject from real
Inbox messsage (see #2 above)

Body: empty

Attachment: randomly selected “filename + ext1 + ext2” where:

“Filename”:

 Pics      (or PICS )                  Card     (or CARD)
 images    (or IMAGES)                 Me_nude  (or ME_NUDE)
 README                                Sorry_about_yesterday
 New_Napster_Site                      info
 news_doc  (or NEWS_DOC)               docs   (or DOCS)
 HAMSTER                               Humor  (or HUMOR)
 YOU_are_FAT! (or YOU_ARE_FAT!)        fun    (or FUN)
 stuff                                 SEARCHURL
 SETUP                                 S3MSONG

 "ext1": .DOC .ZIP .MP3
 "ext2":  .scr, .pif

For example: “info.DOC.scr”

The worm doesn’t send infected messages twice to the same address. To do this,
it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL
file, and checks this file content before sending a new message.

Spying Trojan

This routine stores stolen information to a log file (with an optional name), and
encrypts this information with a key (also optional). After a period of time, this
information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and
these messages are sent through (email + server):

 ZVDOHYIK@yahoo.com               mx2.mail.yahoo.com
 udtzqccc@yahoo.com               mx2.mail.yahoo.com
 DTCELACB@yahoo.com               mx2.mail.yahoo.com
 I1MCH2TH@yahoo.com               mx2.mail.yahoo.com
 WPADJQ12@yahoo.com               mx2.mail.yahoo.com
 fjshd@rambler.ru                 mail5.rambler.ru
 smr@eurosport.com                mail.ifrance.com
 bgnd2@canada.com                 mail.canada.com
 muwripa@fairesuivre.com          fs.cpio.com
 rmxqpey@latemodels.com           inbound.latemodels.com.criticalpath.net
 eccles@ballsy.net                inbound.ballsy.net.criticalpath.net
 suck_my_prick@ijustgotfired.com  mail.monkeybrains.net
 suck_my_prick4@ukr.net           mail.ukr.net
 thisisno_fucking_good@usa.com    usa-com.mr.outblaze.com
 S_Mentis@mail-x-change.com       mail-fwd.rapidsite.net
 YJPFJTGZ@excite.com              mta.excite.com
 JGQZCD@excite.com                mta.excite.com
 XHZJ3@excite.com                 mta.excite.com
 OZUNYLRL@excite.com              mta.excite.com
 tsnlqd@excite.com                mta.excite.com
 cxkawog@krovatka.net             imap.front.ru
 ssdn@myrealbox.com               smtp.myrealbox.com

Found In-The-Wild

This worm variant found in-the-wild on November 24, 2001 has the following
options:

It installs itself to a Windows system directory with the KERNEL32.EXE name, and
registers it in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
Kernel32 = kernel32.exe

It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system
directory with the CP_25389.NLS name.