CSRT Alert - Medium Risk
=======================

Win32.BadtransII
and Win32.Badtrans.dll

Alias: W32/Badtrans-B, BADTRANS.B, WORM_BADTRANS.B, W32/Badtrans@MM,
W32.Badtrans.B@mm, W32/BadTrans.B-mm
Threat Level:  Medium
Platforms: 95, 98, ME, NT, 2000
Updated on: 27 November, 2001
Arrival Form:  Email
Type: Win32, Trojan, Worm
Damage: Steal information, Other

-----------------------------------------------------------------------

Analysis
========
Win32.BadTransII is an email spreading vandal which attempts to install a
spying keystroke logger on infected machines and tries to steal access
passwords to connections. When arriving by email this vandal run
automatically by using an Outlook Express exploit known as the X-WAV
exploit.
More information about this exploit and a patch is available form
Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp


Infection
---------
The arriving email will have a the following format:

From: a list of random email addresses
Subject: random words out of the following list: Humor, fun, docs, info
Body: No body text
Attached file: random attached file name with a double extension.
The list of possible names:
Pics
images
New_Napster_Site
README
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
news_doc
HAMSTER
YOU_are_FAT!

The first file extension will be one of the following: .DOC, .ZIP, .MP3
The second extension will be one of the following: .PIF, .SCR

This vandal can also arrive as a reply to an email. In that case the
subject line will begin with Re: and following would be the original
subject line.
It also searches file with the extensions .HT* and .ASP (HTML files) and
sends infected emails to addresses found there. Usually there will be many
such HTML files in the browser cache directories.

Operation
---------
When an infected email is viewed on a system unpatched by Microsoft, the
file is automatically executed and will perform the following:

1. Create a copy of itself under the name KERNEL32.EXE in the Windows
System directory (usually C:\Windows\System).

2. Create a file named KDLL.DLL (detected by eSafe as Win32.Badtrans.dll)
in the Windows System directory. This file is a spying Trojan. It collects
information about the PC including dial-up passwords. It is also a
keystroke logger, collecting all the keyboard entries and the respective
applications. All this information is saved encrypted to a file named
CP_25389.NLS and sent to a predefined email address.

3. To execute itself each time the computer starts, the following registry
entry is added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
kernel32 = "kernel32.exe"

4. Use MAPI to send copies of itself to address book entries as well as
addresses in HTML pages stored locally and as a reply to unread messages.

Removal Instructions
====================

Manual Removal
--------------

1. Find and delete the files: KERNEL32.EXE and CP_25389.NLS

2. Using Regedit.exe, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = "kernel32.exe". Delete the
registry value kernel32.

3. Disable email previewing in Outlook Express. Delete all email messages
that correspond the descriptions above.

Cleaning Utility
----------------
An cleaning utility is available from
ftp://ftp.ealaddin.com/pub/utils/eclean.exe

This is from esafe ealadding security update.

Cheers!

Ok.Im sitting here with a clean computer thanks to you Tekcode.    
 
  I ran the util you linked to and Avp several times and they didnt find anything else than the kernel exe and the kdll.dll.
  Hopefully nothing has been sent to anyone else.

 Gives you a bad taste though not knowing if any info on passwords etc has been sent somewhere.
As far as i understand it you dont have to open the mail to get infected unless you have Explorer 6 or a special safety patch.
  I have none of these as for now.Easy target.  
   Makes you wanna go beserk these things don`t they    

   TrojanBlue

[ November 27, 2001: Message edited by: Bluelight ]

If it was badtrans obnly make sure you did these steps    [URlL=http://www.pchell.com/virus/badtrans.shtml] HERE[/URL]

I replied to other post without reading this one now i feel kindas dumb. As long as your ok ill take feeling dum anyday  

Im back from a complete reformat of my C drive.
Everything went smooth yesterday and i removed the stuff from my computer.Rebooted several times afterwards and worked with other stuff for an hour or two.
 This morning when i started the machine it couldnt find any of the files necessesary to start.
Now what these little green frogs that program Viruses didnt know is that im a master of Formatting my C drive hehe.....due to my kids who continually clogs up the reg with games so i have to do this every three months anyway and it was about time.
   Keeping everything valuable on my D drive
(now dont start doing viruses for the d drive cause if you do......little green frogs i`ll.....)which i have never been forced to reformat.Gonna get a burner  in a couple of weeks too.

   Thanks again all for good help!

     

   Bluey

Sorry for not answering this question at once Tek.Yes it worked well for a couple of hours after i had run the cleanup util.It was only the mornig after that the machine wouldn`t boot.
   It is very likeley that i did mess up somewhere in the process.

  Tonight i recieved the third one like this.I have no adresses or mails in outlook and im using IE 6 so i think im ok since i deleted the thing right away.
 This one was called Fat.!.M.scr
 
   Bluey