Trojan.Win16.BadSector

Class Trojan
Platform Win16
Description

Technical Details


This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format)
written in Pascal. It accesses the network and sends random messages to the
Internet.


When run for the first time, the Trojan just installs itself in the system.
It copies itself to the Windows system directory with the SHELL32.EXE name
and registers in the system Registry in HKEY_LOCAL_MACHINE section:


SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exe

The Trojan then terminates with no side effects. On the next rebooting, the
Trojan stays in Windows memory as a hidden task, sleeps and periodically
initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for
sending messages.


The messages have randomly selected addresses, subject and data. The “Mail
From” address is randomly constructed from the following parts:


  • prodigy compuserve kurva putka gerry tetra europe amstel usa
    bulgaria badsector hacker omega vali-pedali eunet digsys
  • main vt linux aix unix mail www host abc server veliko-tar
  • com edu org mil gov net bg tr gr uk ca ro jp

The “RCPT To” address is randomly selected from the following variants:

gerry@tetra.bg
administrator@tetra.bg
tetranet@tetra.bg
root@vt.bitex.com
peterc@vt.bitex.com
ivanp@vt.bitex.com
root@tarnovo.eunet.bg
master@tarnovo.eunet.bg
webmaster@tarnovo.eunet.bg
root@server.vt.bia-bg.com
webmaster@mail.vt.bia-bg.com
webmaster@tetra.bg

The subject is randomly selected from the following variants:

Ha-ha-ha
Bad Sector wi razkaza igrata :))
Greetings from Bad Sector ! Po-zdrawi
Vleze li wi sega?
Re
Hi, kak e?
Ko staa, ima problemi li
Bad Sector
Kogato grum udari…
etc.

The sentences of the message body are randomly constructed from a large set of
verbs, words and sub-sentences, partly they are rude ones, mostly they are
in Bulgarian. There is no reason to list them all here.