Virus Database

I-Worm.BadtransII

Description I-Worm.BadtransII

This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected files attached, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is about 29Kb in size. Upon being decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The "Worm" component sends infected messages, and the "Trojan" component sends out information (user's info, RAS data, cached passwords, keyboard log) from infected computers to a specified e-mail address. It also keeps a "keylogger" program body in its code, and installs it into the system while infecting a new machine.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gains control through an IFRAME security breach), the worm code gains control. First of all, it drops (installs) its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending them to a victim's machine, or before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system, and then uses this to spy on text entered by a keyboard. The DLL file name is optional as well.
Other optional features are:
- the worm deletes original infected file when installation is complete
- the size of keyboard log file

Spreading
To send infected messages, the worm uses a direct connection to an SMTP server. A victim's e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box, and obtains e-mail addresses from here.

Next, the worm sends infected messages. The message body contains HTML format, and uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: - original sender, or fake address, randomly selected from:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
" Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
" Anna"
"JUDY"
"Tina"

The original sender address is a bit modified: the "_" character is inserted before the e-mail address in there, for example:
"John K. Smith" "Vasja Pupkin" - original address
"John K. Smith" <_john123@yahoo.com> "Vasja Pupkin" <_vasyap@rambler.ru> - sent by worm

Subject: empty, or "Re:", or "Re:" followed by original Subject from real Inbox messsage (see #2 above)
Body: empty
Attachment: randomly selected "filename + ext1 + ext2" where:
"Filename":
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
README Sorry_about_yesterday
New_Napster_Site info
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
stuff SEARCHURL
SETUP S3MSONG

"ext1": .DOC .ZIP .MP3
"ext2": .scr, .pif

For example: "info.DOC.scr"
The worm doesn't send infected messages twice to the same address. To do this, it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL file, and checks this file content before sending a new message.
Spying Trojan
This routine stores stolen information to a log file (with an optional name), and encrypts this information with a key (also optional). After a period of time, this information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and these messages are sent through (email + server):
ZVDOHYIK@yahoo.com mx2.mail.yahoo.com
udtzqccc@yahoo.com mx2.mail.yahoo.com
DTCELACB@yahoo.com mx2.mail.yahoo.com
I1MCH2TH@yahoo.com mx2.mail.yahoo.com
WPADJQ12@yahoo.com mx2.mail.yahoo.com
fjshd@rambler.ru mail5.rambler.ru
smr@eurosport.com mail.ifrance.com
bgnd2@canada.com mail.canada.com
muwripa@fairesuivre.com fs.cpio.com
rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net
eccles@ballsy.net inbound.ballsy.net.criticalpath.net
suck_my_prick@ijustgotfired.com mail.monkeybrains.net
suck_my_prick4@ukr.net mail.ukr.net
thisisno_fucking_good@usa.com usa-com.mr.outblaze.com
S_Mentis@mail-x-change.com mail-fwd.rapidsite.net
YJPFJTGZ@excite.com mta.excite.com
JGQZCD@excite.com mta.excite.com
XHZJ3@excite.com mta.excite.com
OZUNYLRL@excite.com mta.excite.com
tsnlqd@excite.com mta.excite.com
cxkawog@krovatka.net imap.front.ru
ssdn@myrealbox.com smtp.myrealbox.com

Found In-The-Wild
This worm variant found in-the-wild on November 24, 2001 has the following options:
It installs itself to a Windows system directory with the KERNEL32.EXE name, and registers it in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system directory with the CP_25389.NLS name.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Jer

Description I-Worm.Jer

This is an Internet worm that spreads through IRC channels and also intends to spread via e-mail, but fails because of bugs in its code.
Installation
The worm has been placed by its author on a page on the www.geocities.com. The page has the title:
"<< THE 40 WAYS WOMEN FAIL IN BED".
On 2 July 2000, the info about this page was announced to IRC channels and there were more than 1000 hits on that page for the first day. Fortunately, the worm had a bug in its e-mail infection routine, and it didn't spread too far.
The "Jer" worm uses a primitive, but very effective way of penetrating computers. A Web site contains a script-program (the worm itself), which is automatically executed after a user opens an infected HTML page. Then a user receives a warning from the system whether to accept this unknown script or not. This method exploits so-called "mind breaches": to avoid this annoying message, a user will answer "yes". Right after this moment, the worm will be passed on to the computer.

The infected HTML page contains the VBS script in its body. Upon opening that page, the script automatically is executed and the worm gains control. It creates a copy of the infected HTML page in the Windows system directory with the JER.HTM name and registers it in the system registry in the autostart section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunGinSenG = "JER.HTM"
As a result, the worm will be automatically executed on each Windows startup.
Spreading
The worm then goes to the C:MIRC directory and (if such a directory exists) creates a "SCRIPT.INI" file that contains the commands for the mIRC client. The worm writes to this file a set of commands to send an infected JER.HTM file to every computer that connects to the same channel as the infected computer. Additionally, this script provides access to the local disk of the infected computer to the IRC user who has typed a specified script keyword.
Payload
The worm makes some more changes in the system registry:
Disables desktop
Disables "Find" dialog box
Disables network properties dialog box
Removes "Shut Down" from "Start" menu
The worm also changes the Windows registration information:
Owner: I Love You, Min
Organization: GinsengBoy- 2000
Removal
To restore system settings, the original registry values have to be restored.
NOTE: It is recommended that only experienced users fix the Registry keys by using the Registry Editor. Incorrect access can cause serious problems that may require you to reinstall Windows. For information about how to edit the registry, view the Changing Keys And Values online Help topic in the Registry Editor (REGEDIT.EXE).
The following keys have to be removed from the registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunGinSenG
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoNetSetup
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoClose
The following keys have to be changed to proper values:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionVersion - Windows version (for example "Windows 98").
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOwner - User name (Windows registered to)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOrganization - Organization name (Windows registered to)

I-Worm.Kadra

Description I-Worm.Kadra

This is a Win32 PE EXE worm that spreads in e-mail messages using a system's default MAPI client. When started, it copies itself to %WINDOWS%Win32Dlw.EXE and %SYSTEM%Win32Exp.EXE, then writes the following key to the registry to start automaically with Windows: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun RunExplorer=%SYSTEM%Win32Exp.EXE
If the current month is Semptember, the worm draws the following message on the screen:
Kad sve izgleda da umire,allono se ustvari radja!
Then, the worm shows a message box with a '...' title and the following text:
Moja jutra su sve jasnija,
Moja snaga je prodornija,
Moje rijeci silno odjekuj
Moj mac je ostriji,
Moje noci su sve hladnije.
...ali dan je blizi kad ce
ljudi shvatiti da su samo,
i nista drugo nego ono sto
sam i JA!

After displaying a message, the worm does nothing for 2 minutes, and then sends itself to all senders of e-mail messages stored in the default MAPI client inbox.
All messages sent by the worm have the following properties:

Message subject is: Bin Ladenov zivot.
File attached: Bin Ladenov Zivot.exe
Message body: Ako jos do sada niste znali ko je Bin Laden onda vjerovatno cete naci ovaj dokument interesantnim u kojem je prikazano nekoliko vaznih momenata u, u njegovom zivotu, cak dok je jos radio pri CIA!

Home