Virus Database

TrojanDownloader.Win32.Checkin

Description TrojanDownloader.Win32.Checkin
Checkin is a "downloader" trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.
The trojan file sizes are of the following approximate sizes:
"Checkin.a": 50Kb
"Checkin.b": 45Kb

The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:
"Checkin.a":

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
SysReg = %SystemDir%SysReg

"Checkin.b":

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
OWMngr = %SystemDir%OWMngr.exe

It seems that the trojan program should be completed by an "installator" that performs all steps for installing the trojan program into the system.
The trojan program also creates more registry keys:
HKCUSoftwareIExplore Ads
AID
ID
LoggedIn

It uses these keys for its 'internal' needs.
Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.
The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:

"Checkin.a": http://tp.searchseekfind.com
"Checkin.b": http://ads.onwebmedia.com

At these locations the trojan uses the "Checkin.pl" file.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Badtrans.a

Description I-Worm.Badtrans.a

This is a worm spreading under Win32 systems. The virus sends e-mail messages with infected attached files, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild on April 12 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is 13Kb in size. Being decompressed, the worm file length increases to about 40Kb in size.
The virus has a multi-component structure. It consists of two different components that are dropped on a disk as different files, and are run as stand-alone programs (e-mail Worm and Trojan). The "Worm" routine is the main component, keeping a "Trojan" program body in its code, and installs it into the system while infecting a new machine.
The "Worm" component operates similar to "I-Worm.ZippedFiles"(aka ExploreZip) worm: by using Windows MAPI functions, it gains access to the Inbox, and "answers" all unread messages. This routine has a bug and may cause a transport overload (see below).
The "Trojan" component is a variant of the already known "password-stealing" Trojans (see "Trojan.PSW.Hooker"). It sends information from infected computers to this e-mail address:
ld8dl1@mailandnews.com
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it), the worm code gains control. First of all, it drops (installs) its components to the system.
The worm copies itself to the Windows directory with the INETD.EXE name, and drops the Trojan component to the Windows directory as well with the HKK32.EXE name. The Trojan component is executed then, moving itself to the Windows system directory with the KERN32.EXE name, and droping an additional library (key logger) with the HKSDLL.DLL name:
The worm creates two files in the Windows directory:
HKK32.EXE - Trojan component (it is executed then)
INETD.EXE - worm copy
The Trojan, when run, moves itself to the Windows system directory:
KERN32.EXE - Trojan component (second copy)
HKSDLL.DLL - Trojan library (keylogger)
CP_23421.NLS - Trojan data file (the Trojan stores its internal data in there.)
and deletes the HKK32.EXE file in the Windows directory.
The worm then registers itself (the INETD.EXE file) in the auto-run sections in the system. Under Win9x, it writes a "run=" command to the [windows] section into a WIN.INI file, for example:
[windows]
load=
run=C:WINDOWSINETD.EXE
Under WinNT/2000, a registry key is created:
HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
RUN = C:WINDOWSINETD.EXE
The Trojan registers itself in the registry RunOnce key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
kernel32 = kern32.exe
Because this is "run once" key, the Trojan, upon each start, rewrites it and keeps the Windows loading Trojan file upon each restart.
To hide its activity until installation into a new machine is complete, the worm displays a fake message and exits:

Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
The worm does not send any messages out of an infected machine the first start; rather, it doe so upon the next Windows restart instead.
Spreading
The spreading routine is activated upon the next Windows restart when the worm copy is activated from a INETD.EXE file (this file is run automatically, because it is referred from the "run" key in a WIN.INI file or system registry).
The worm registers itself as a hidden (service) process, and lies dormant for about 5 minutes before activating its spreading routine.
While spreading, the worm gains access to the Windows MAPI functions, opens and reads all unread messages, and "answers" them with infected messages. The worm does not terminate, and is active until Windows restart, and sends an infected message each time a new message arrives.
The infected message has a text and attached file. The attached file name is randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in the worm messages is the same as in the original message with a "Re:" prefix.
The message body is set "reply" to the original message. For example, if the original message is sent from "John Smith" and has two lines as follows:
message line1
message line2
then the worm will reply with the text:
'John Smith' wrote:
====
- message line1
- message line2

> Take a look to the attachment.
If a message has no body (empty message), the worm's "reply" has just one line:
> Take a look to the attachment.
Transport Bomb
The worm has a trick to avoid answering the same e-mail two or more times, and to avoid answering its own messages received from other infected machines. To do this, the worm adds two spaces to the end of the Subject line, and does not process (reply to) such messages.
This "two-spaces" protection works for messages that are already "answered," and the worm does not reply to these messages. However, this protection doesn't work for messages that are received from other infected computers. Some e-mail servers (or most of them) simply cut all spaces at the end of the Subject line (according to RFC-822 e-mail message standard).
As a result, if an infected message arrives to an already infected machine, it is immediately answered by the worm and sent back. So the worm initiates the "looped" traffic with an endless number of infected messages.
Depending on the installed e-mail client, the worm also fails to mark "answered" messages. As a result, the worm answers all unread messages ("true" ones and its own messages) in an endless loop, and the number of sent and received messages increases to several thousand within a minute.
Therefore, the worm can cause an e-mail server to crash, because soon it will not be capable to process all these messages.

I-Worm.BadtransII

Description I-Worm.BadtransII

This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected files attached, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is about 29Kb in size. Upon being decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The "Worm" component sends infected messages, and the "Trojan" component sends out information (user's info, RAS data, cached passwords, keyboard log) from infected computers to a specified e-mail address. It also keeps a "keylogger" program body in its code, and installs it into the system while infecting a new machine.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gains control through an IFRAME security breach), the worm code gains control. First of all, it drops (installs) its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending them to a victim's machine, or before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system, and then uses this to spy on text entered by a keyboard. The DLL file name is optional as well.
Other optional features are:
- the worm deletes original infected file when installation is complete
- the size of keyboard log file

Spreading
To send infected messages, the worm uses a direct connection to an SMTP server. A victim's e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box, and obtains e-mail addresses from here.

Next, the worm sends infected messages. The message body contains HTML format, and uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: - original sender, or fake address, randomly selected from:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
" Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
" Anna"
"JUDY"
"Tina"

The original sender address is a bit modified: the "_" character is inserted before the e-mail address in there, for example:
"John K. Smith" "Vasja Pupkin" - original address
"John K. Smith" <_john123@yahoo.com> "Vasja Pupkin" <_vasyap@rambler.ru> - sent by worm

Subject: empty, or "Re:", or "Re:" followed by original Subject from real Inbox messsage (see #2 above)
Body: empty
Attachment: randomly selected "filename + ext1 + ext2" where:
"Filename":
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
README Sorry_about_yesterday
New_Napster_Site info
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
stuff SEARCHURL
SETUP S3MSONG

"ext1": .DOC .ZIP .MP3
"ext2": .scr, .pif

For example: "info.DOC.scr"
The worm doesn't send infected messages twice to the same address. To do this, it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL file, and checks this file content before sending a new message.
Spying Trojan
This routine stores stolen information to a log file (with an optional name), and encrypts this information with a key (also optional). After a period of time, this information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and these messages are sent through (email + server):
ZVDOHYIK@yahoo.com mx2.mail.yahoo.com
udtzqccc@yahoo.com mx2.mail.yahoo.com
DTCELACB@yahoo.com mx2.mail.yahoo.com
I1MCH2TH@yahoo.com mx2.mail.yahoo.com
WPADJQ12@yahoo.com mx2.mail.yahoo.com
fjshd@rambler.ru mail5.rambler.ru
smr@eurosport.com mail.ifrance.com
bgnd2@canada.com mail.canada.com
muwripa@fairesuivre.com fs.cpio.com
rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net
eccles@ballsy.net inbound.ballsy.net.criticalpath.net
suck_my_prick@ijustgotfired.com mail.monkeybrains.net
suck_my_prick4@ukr.net mail.ukr.net
thisisno_fucking_good@usa.com usa-com.mr.outblaze.com
S_Mentis@mail-x-change.com mail-fwd.rapidsite.net
YJPFJTGZ@excite.com mta.excite.com
JGQZCD@excite.com mta.excite.com
XHZJ3@excite.com mta.excite.com
OZUNYLRL@excite.com mta.excite.com
tsnlqd@excite.com mta.excite.com
cxkawog@krovatka.net imap.front.ru
ssdn@myrealbox.com smtp.myrealbox.com

Found In-The-Wild
This worm variant found in-the-wild on November 24, 2001 has the following options:
It installs itself to a Windows system directory with the KERNEL32.EXE name, and registers it in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system directory with the CP_25389.NLS name.

Home