Virus Database

I-Worm.Badtrans.a

Description I-Worm.Badtrans.a

This is a worm spreading under Win32 systems. The virus sends e-mail messages with infected attached files, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild on April 12 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is 13Kb in size. Being decompressed, the worm file length increases to about 40Kb in size.
The virus has a multi-component structure. It consists of two different components that are dropped on a disk as different files, and are run as stand-alone programs (e-mail Worm and Trojan). The "Worm" routine is the main component, keeping a "Trojan" program body in its code, and installs it into the system while infecting a new machine.
The "Worm" component operates similar to "I-Worm.ZippedFiles"(aka ExploreZip) worm: by using Windows MAPI functions, it gains access to the Inbox, and "answers" all unread messages. This routine has a bug and may cause a transport overload (see below).
The "Trojan" component is a variant of the already known "password-stealing" Trojans (see "Trojan.PSW.Hooker"). It sends information from infected computers to this e-mail address:
ld8dl1@mailandnews.com
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it), the worm code gains control. First of all, it drops (installs) its components to the system.
The worm copies itself to the Windows directory with the INETD.EXE name, and drops the Trojan component to the Windows directory as well with the HKK32.EXE name. The Trojan component is executed then, moving itself to the Windows system directory with the KERN32.EXE name, and droping an additional library (key logger) with the HKSDLL.DLL name:
The worm creates two files in the Windows directory:
HKK32.EXE - Trojan component (it is executed then)
INETD.EXE - worm copy
The Trojan, when run, moves itself to the Windows system directory:
KERN32.EXE - Trojan component (second copy)
HKSDLL.DLL - Trojan library (keylogger)
CP_23421.NLS - Trojan data file (the Trojan stores its internal data in there.)
and deletes the HKK32.EXE file in the Windows directory.
The worm then registers itself (the INETD.EXE file) in the auto-run sections in the system. Under Win9x, it writes a "run=" command to the [windows] section into a WIN.INI file, for example:
[windows]
load=
run=C:WINDOWSINETD.EXE
Under WinNT/2000, a registry key is created:
HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
RUN = C:WINDOWSINETD.EXE
The Trojan registers itself in the registry RunOnce key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
kernel32 = kern32.exe
Because this is "run once" key, the Trojan, upon each start, rewrites it and keeps the Windows loading Trojan file upon each restart.
To hide its activity until installation into a new machine is complete, the worm displays a fake message and exits:

Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
The worm does not send any messages out of an infected machine the first start; rather, it doe so upon the next Windows restart instead.
Spreading
The spreading routine is activated upon the next Windows restart when the worm copy is activated from a INETD.EXE file (this file is run automatically, because it is referred from the "run" key in a WIN.INI file or system registry).
The worm registers itself as a hidden (service) process, and lies dormant for about 5 minutes before activating its spreading routine.
While spreading, the worm gains access to the Windows MAPI functions, opens and reads all unread messages, and "answers" them with infected messages. The worm does not terminate, and is active until Windows restart, and sends an infected message each time a new message arrives.
The infected message has a text and attached file. The attached file name is randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in the worm messages is the same as in the original message with a "Re:" prefix.
The message body is set "reply" to the original message. For example, if the original message is sent from "John Smith" and has two lines as follows:
message line1
message line2
then the worm will reply with the text:
'John Smith' wrote:
====
- message line1
- message line2

> Take a look to the attachment.
If a message has no body (empty message), the worm's "reply" has just one line:
> Take a look to the attachment.
Transport Bomb
The worm has a trick to avoid answering the same e-mail two or more times, and to avoid answering its own messages received from other infected machines. To do this, the worm adds two spaces to the end of the Subject line, and does not process (reply to) such messages.
This "two-spaces" protection works for messages that are already "answered," and the worm does not reply to these messages. However, this protection doesn't work for messages that are received from other infected computers. Some e-mail servers (or most of them) simply cut all spaces at the end of the Subject line (according to RFC-822 e-mail message standard).
As a result, if an infected message arrives to an already infected machine, it is immediately answered by the worm and sent back. So the worm initiates the "looped" traffic with an endless number of infected messages.
Depending on the installed e-mail client, the worm also fails to mark "answered" messages. As a result, the worm answers all unread messages ("true" ones and its own messages) in an endless loop, and the number of sent and received messages increases to several thousand within a minute.
Therefore, the worm can cause an e-mail server to crash, because soon it will not be capable to process all these messages.

Check other viruses! Be aware! Use Antiviral Software

Sahan.896

Description Sahan.896

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. The virus contains the text strings:
Clever boy !, you found me.I hate silly people.I'm Nice Fox
1.8e.Sahand-Tabriz University of Technology.

Sailor family

Description Sailor family

These are memory resident parasitic viruses. They hook INT 21h and write themselves to the end of executable files:
"Sailor.785": EXE on execution
"Sailor.834": COM on execution
"Sailor.1108": COM and EXE on execution, renaming
and on Get/Set File Attributes DOS call

The viruses contain the text strings:
"Sailor.785": Sailor.Venus -b0z0/iKx-
"Sailor.834": Sailor.Mercury -b0z0/iKx-
ANTI-VIR.DAT CHKLIST.MS
"Sailor.1108": Sailor.Mars -b0z0/iKx-
TBAVF-VISCITIVFINACO

"Sailor.785" is the polymorphic virus, it does not manifest itself in any way.
"Sailor.834" deletes the files: ANTI-VIR.DAT, CHKLIST.MS. When the files *VP.* (AVP), *RO.* (AVPRO) or *OT.* (F-PROT) are executed, the virus disables its infection routine.
"Sailor.1108" encrypts itself in quite complex way - while infecting a file it writes itself backward byte-by-byte except INTxx opcodes (CDxx). This routine has a bug, and in some cases the virus encrypts the files incorrectly, and they halt the system when executed. This virus does not infect several anti-viruses (TBAV, AVP, F-PROT,all see the string above) as well as COMMAND.COM file.
Sailor.Neptune.938
It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and infects COM files that are executed. While infecting a file the virus reads a block of file's data, encrypts it and saves to the end of the file, then it writes itself instead of this block to the middle of the file. The virus does not manifest itself in any way, it contains the text strings:
Sailor_Neptune
-b0z0/iKx-

Sailor.Pluto.3673
It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus has bugs and infected files may halt the computer. The virus checks the file names and does not infect several anti-viruses and COMMAND.COM according to the string (two letters per name - TBAV, AVP, F-PROT and so on):
TBAVF-SCMSFINACO

The virus contains the text strings:
Sailor_Pluto
-b0z0/iKx-
PADANIA - 1997
Chaos is the future and beyond it is Freedom
[SMPE 0.2]

Sailor.Saturn.4553
It is a dangerous memory resident polymorphic parasitic virus. The virus uses quite complex polymorphic engine, the size of the polymorphic decryption code may exceed 6K.
The virus hooks INT 21h and writes itself to the end of EXE files that are executed or accessed by FindFile DOS functions. It does not infect files on floppy disks, as well as files with digits in their names. It archivers and other utilities are started (PKZIP, LHA, ARJ, XCOPY, BACKUP), the virus disables some of its routines. When anti-virus programs AVP/AVPLITE are started, the virus adds to the command line options that disable memory scanning and heuristic analysis; the same for TBAV anti-virus.
On September 14th the virus writes to the MBR of the hard disk a trojan code, which displays a picture and waits a keyboard input "Free Panadia", and then continues booting the computer.
The virus contains the text string:
Sailor_Saturn -b0z0/iKx- Free Padania [SMPE 0.3]

Home