i-worm.badtrans.
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Badtrans.a
This is a worm spreading under Win32 systems. The virus sends e-mail messages with infected attached files, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild on April 12 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is 13Kb in size. Being decompressed, the worm file length increases to about 40Kb in size.
The virus has a multi-component structure. It consists of two different components that are dropped on a disk as different files, and are run as stand-alone programs (e-mail Worm and Trojan). The "Worm" routine is the main component, keeping a "Trojan" program body in its code, and installs it into the system while infecting a new machine.
The "Worm" component operates similar to "I-Worm.ZippedFiles"(aka ExploreZip) worm: by using Windows MAPI functions, it gains access to the Inbox, and "answers" all unread messages. This routine has a bug and may cause a transport overload (see below).
The "Trojan" component is a variant of the already known "password-stealing" Trojans (see "Trojan.PSW.Hooker"). It sends information from infected computers to this e-mail address:
ld8dl1@mailandnews.com
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it), the worm code gains control. First of all, it drops (installs) its components to the system.
The worm copies itself to the Windows directory with the INETD.EXE name, and drops the Trojan component to the Windows directory as well with the HKK32.EXE name. The Trojan component is executed then, moving itself to the Windows system directory with the KERN32.EXE name, and droping an additional library (key logger) with the HKSDLL.DLL name:
The worm creates two files in the Windows directory:
HKK32.EXE - Trojan component (it is executed then)
INETD.EXE - worm copy
The Trojan, when run, moves itself to the Windows system directory:
KERN32.EXE - Trojan component (second copy)
HKSDLL.DLL - Trojan library (keylogger)
CP_23421.NLS - Trojan data file (the Trojan stores its internal data in there.)
and deletes the HKK32.EXE file in the Windows directory.
The worm then registers itself (the INETD.EXE file) in the auto-run sections in the system. Under Win9x, it writes a "run=" command to the [windows] section into a WIN.INI file, for example:
[windows]
load=
run=C:\WINDOWS\INETD.EXE
Under WinNT/2000, a registry key is created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN = C:\WINDOWS\INETD.EXE
The Trojan registers itself in the registry RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Because this is "run once" key, the Trojan, upon each start, rewrites it and keeps the Windows loading Trojan file upon each restart.
To hide its activity until installation into a new machine is complete, the worm displays a fake message and exits:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
The worm does not send any messages out of an infected machine the first start; rather, it doe so upon the next Windows restart instead.
Spreading
The spreading routine is activated upon the next Windows restart when the worm copy is activated from a INETD.EXE file (this file is run automatically, because it is referred from the "run" key in a WIN.INI file or system registry).
The worm registers itself as a hidden (service) process, and lies dormant for about 5 minutes before activating its spreading routine.
While spreading, the worm gains access to the Windows MAPI functions, opens and reads all unread messages, and "answers" them with infected messages. The worm does not terminate, and is active until Windows restart, and sends an infected message each time a new message arrives.
The infected message has a text and attached file. The attached file name is randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in the worm messages is the same as in the original message with a "Re:" prefix.
The message body is set "reply" to the original message. For example, if the original message is sent from "John Smith" and has two lines as follows:
message line1
message line2
then the worm will reply with the text:
'John Smith' wrote:
====
- message line1
- message line2
> Take a look to the attachment.
If a message has no body (empty message), the worm's "reply" has just one line:
> Take a look to the attachment.
Transport Bomb
The worm has a trick to avoid answering the same e-mail two or more times, and to avoid answering its own messages received from other infected machines. To do this, the worm adds two spaces to the end of the Subject line, and does not process (reply to) such messages.
This "two-spaces" protection works for messages that are already "answered," and the worm does not reply to these messages. However, this protection doesn't work for messages that are received from other infected computers. Some e-mail servers (or most of them) simply cut all spaces at the end of the Subject line (according to RFC-822 e-mail message standard).
As a result, if an infected message arrives to an already infected machine, it is immediately answered by the worm and sent back. So the worm initiates the "looped" traffic with an endless number of infected messages.
Depending on the installed e-mail client, the worm also fails to mark "answered" messages. As a result, the worm answers all unread messages ("true" ones and its own messages) in an endless loop, and the number of sent and received messages increases to several thousand within a minute.
Therefore, the worm can cause an e-mail server to crash, because soon it will not be capable to process all these messages.
Copyright @2006 i-worm.badtrans.