I-Worm.BadtransI
Details
I-Worm.BadtransII
This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected files attached, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is about 29Kb in size. Upon being decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The “Worm” component sends infected messages, and the “Trojan” component sends out information (user’s info, RAS data, cached passwords, keyboard log) from infected computers to a specified e-mail address. It also keeps a “keylogger” program body in its code, and installs it into the system while infecting a new machine.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gains control through an IFRAME security breach), the worm code gains control. First of all, it drops (installs) its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending them to a victim’s machine, or before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system, and then uses this to spy on text entered by a keyboard. The DLL file name is optional as well.
Other optional features are:
- the worm deletes original infected file when installation is complete
- the size of keyboard log file
Spreading
To send infected messages, the worm uses a direct connection to an SMTP server. A victim’s e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box, and obtains e-mail addresses from here.
Next, the worm sends infected messages. The message body contains HTML format, and uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: - original sender, or fake address, randomly selected from:
” Anna”
“JUDY”
“Rita Tulliani”
“Tina”
“Kelly Andersen”
” Andy”
“Linda”
“Mon S”
“Joanna”
“JESSICA BENAVIDES”
” Administrator”
” Admin”
“Support”
“Monika Prado”
“Mary L. Adams”
” Anna”
“JUDY”
“Tina”
The original sender address is a bit modified: the “_” character is inserted before the e-mail address in there, for example:
“John K. Smith” “Vasja Pupkin” - original address
“John K. Smith” <_john123@yahoo.com> “Vasja Pupkin” <_vasyap@rambler.ru> - sent by worm
Subject: empty, or “Re:”, or “Re:” followed by original Subject from real Inbox messsage (see #2 above)
Body: empty
Attachment: randomly selected “filename + ext1 + ext2″ where:
“Filename”:
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
README Sorry_about_yesterday
New_Napster_Site info
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
stuff SEARCHURL
SETUP S3MSONG
“ext1″: .DOC .ZIP .MP3
“ext2″: .scr, .pif
For example: “info.DOC.scr”
The worm doesn’t send infected messages twice to the same address. To do this, it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL file, and checks this file content before sending a new message.
Spying Trojan
This routine stores stolen information to a log file (with an optional name), and encrypts this information with a key (also optional). After a period of time, this information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and these messages are sent through (email + server):
ZVDOHYIK@yahoo.com mx2.mail.yahoo.com
udtzqccc@yahoo.com mx2.mail.yahoo.com
DTCELACB@yahoo.com mx2.mail.yahoo.com
I1MCH2TH@yahoo.com mx2.mail.yahoo.com
WPADJQ12@yahoo.com mx2.mail.yahoo.com
fjshd@rambler.ru mail5.rambler.ru
smr@eurosport.com mail.ifrance.com
bgnd2@canada.com mail.canada.com
muwripa@fairesuivre.com fs.cpio.com
rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net
eccles@ballsy.net inbound.ballsy.net.criticalpath.net
suck_my_prick@ijustgotfired.com mail.monkeybrains.net
suck_my_prick4@ukr.net mail.ukr.net
thisisno_fucking_good@usa.com usa-com.mr.outblaze.com
S_Mentis@mail-x-change.com mail-fwd.rapidsite.net
YJPFJTGZ@excite.com mta.excite.com
JGQZCD@excite.com mta.excite.com
XHZJ3@excite.com mta.excite.com
OZUNYLRL@excite.com mta.excite.com
tsnlqd@excite.com mta.excite.com
cxkawog@krovatka.net imap.front.ru
ssdn@myrealbox.com smtp.myrealbox.com
Found In-The-Wild
This worm variant found in-the-wild on November 24, 2001 has the following options:
It installs itself to a Windows system directory with the KERNEL32.EXE name, and registers it in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system directory with the CP_25389.NLS name.
Related Posts