Kaspersky Threats — BadSector

Class

Platform

Description

Technical Details

This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format)
written in Pascal. It accesses the network and sends random messages to the
Internet.

When run for the first time, the Trojan just installs itself in the system.
It copies itself to the Windows system directory with the SHELL32.EXE name
and registers in the system Registry in HKEY_LOCAL_MACHINE section:



SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exe

The Trojan then terminates with no side effects. On the next rebooting, the
Trojan stays in Windows memory as a hidden task, sleeps and periodically
initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for
sending messages.

The messages have randomly selected addresses, subject and data. The “Mail
From” address is randomly constructed from the following parts:

prodigy compuserve kurva putka gerry tetra europe amstel usa
bulgaria badsector hacker omega vali-pedali eunet digsys
main vt linux aix unix mail www host abc server veliko-tar
com edu org mil gov net bg tr gr uk ca ro jp

The “RCPT To” address is randomly selected from the following variants:



gerry@tetra.bg

administrator@tetra.bg

tetranet@tetra.bg

root@vt.bitex.com

peterc@vt.bitex.com

ivanp@vt.bitex.com

root@tarnovo.eunet.bg

master@tarnovo.eunet.bg

webmaster@tarnovo.eunet.bg

root@server.vt.bia-bg.com

webmaster@mail.vt.bia-bg.com

webmaster@tetra.bg

The subject is randomly selected from the following variants:



Ha-ha-ha

Bad Sector wi razkaza igrata :))

Greetings from Bad Sector ! Po-zdrawi

Vleze li wi sega?

Re

Hi, kak e?

Ko staa, ima problemi li

Bad Sector

Kogato grum udari…

etc.

The sentences of the message body are randomly constructed from a large set of
verbs, words and sub-sentences, partly they are rude ones, mostly they are
in Bulgarian. There is no reason to list them all here.

Find out the statistics of the threats spreading in your region

Class	Trojan
Platform	Win16
Description	Technical Details This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses the network and sends random messages to the Internet. When run for the first time, the Trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section: SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exe The Trojan then terminates with no side effects. On the next rebooting, the Trojan stays in Windows memory as a hidden task, sleeps and periodically initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for sending messages. The messages have randomly selected addresses, subject and data. The “Mail From” address is randomly constructed from the following parts: prodigy compuserve kurva putka gerry tetra europe amstel usa bulgaria badsector hacker omega vali-pedali eunet digsys main vt linux aix unix mail www host abc server veliko-tar com edu org mil gov net bg tr gr uk ca ro jp The “RCPT To” address is randomly selected from the following variants: gerry@tetra.bg administrator@tetra.bg tetranet@tetra.bg root@vt.bitex.com peterc@vt.bitex.com ivanp@vt.bitex.com root@tarnovo.eunet.bg master@tarnovo.eunet.bg webmaster@tarnovo.eunet.bg root@server.vt.bia-bg.com webmaster@mail.vt.bia-bg.com webmaster@tetra.bg The subject is randomly selected from the following variants: Ha-ha-ha Bad Sector wi razkaza igrata :)) Greetings from Bad Sector ! Po-zdrawi Vleze li wi sega? Re Hi, kak e? Ko staa, ima problemi li Bad Sector Kogato grum udari… etc. The sentences of the message body are randomly constructed from a large set of verbs, words and sub-sentences, partly they are rude ones, mostly they are in Bulgarian. There is no reason to list them all here.
	Find out the statistics of the threats spreading in your region

Trojan.Win16.BadSector

Technical Details