[EVA] Virale infection - Not Iroul though

Ebj ebj.nerv at flashnet.it
Sun Dec 16 13:30:31 EST 2001 

> Those are the same two people who also sent me messages, and since it has
happened
> to at least two (amd probably more) ML members, it is not exactly OT.
Obviously
> the mail server of my ISP did not clean the mails, but I have done a check and
> believe I was not infected.
> I wonder if this is the "worm" virus that is going around the web...

I suppose that giving a couple of useful details on this wouldn't hurt.

I-Worm.BadtransII is a worm virus, that is, it is a virus whose action consists
in, but is not limited to, diffusion through networks of computers.
It affects Win32 systems as an attachment on email messages. It also has a
secondary component, a Trojan (a hidden program) that steals reserved info on
infected systems. Variant II has been discovered in Nov. 2001 and is "in the
wild", that is, very widespread.

The worm consists of a 29KB long file, compressed with the UPX program. Once
unpacked, it is 60KB long.

The worm part of the virus will spread infected emails using a direct connection
(and not an existing client), the trojan will send to a specific email address
information it finds on the infected host (user info, RSA data, keypress logs,
cached passwords). The Trojan also installs a keypress catcher on the system.

You can get INFECTED in two ways:

1.You click with the mouse on an infected attachment

2.If your system is IFRAME vulnerable, the "preview" function on the Outlook
Express client will activate the virus.

Here are some useful addresses for information and prevention.

Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to
Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Patch to eliminate vulnerability:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

Variant II will also substitute KERNEL32.EXE with the virus body itself, and
will install KDLL.DLL (keypress catcher and sender) on the Windows system
folder. Removing these two files results into disinfection of the system.

[excerpt from the Badtrans analisys by Paolo Monti on www.avp.it, translated by
me]

_______________________________________________________________
| IMMANO.ORG    \______________________________________________|
----------------|  <= => AV      @ # ? ! % & //     more...    |
|             E=|__desc__________________________title&whatnot_|
|             i |                                              |
|             ç |      @  + immano at immano.org                  |
|            * /          + immano.org at flashnet.it             |
\  @   §  ->  /        -------------------------------------   |
 \-----------/            : http://immano.port5.com            |

More information about the oldeva mailing list