Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VIRUS ANALYSIS 3
Bad Transfer
Peter Ferrie and Péter Ször
Symantec Security Response, USA
In December 2001 Symantec received its one millionth
customer sample submission. We waited for the big
moment, but the millionth submission arrived sooner
than we expected. This is because a new worm,
Win32/Badtrans.B@mm, was making its way quickly
around the Internet. The worm was released in late October
2001 and during December we received 30,000 submissions
of this worm alone. This is an extremely high number for a
single month and at least twice as many as we have experi-
enced before.
Configuration Bits
This worm arrives as an email with one of several attach-
ment names and a combination of two appended extensions.
The attachment contains the worm code and an appended
block of configuration data which controls its behaviour.
Clearly the author wanted to change the behaviour of the
worm without recompiling the code. Thus the configuration
data at the end of worm works much like a .ini file. The
worm’s author probably had a patch tool to create different
behaviours during testing.
VIRUS BULLETIN ©2002 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England. Tel +44 1235 555139. /2002/$0.00+2.50
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
VIRUS BULLETIN FEBRUARY 2002 • 9
The control bits control the logging, the encryption, the ‘REM’, ‘CON’, ‘TER’ and ‘NET’. These texts form the
directories in which files are created, and what is stolen start of the words LOGon, PASsword, REMote,
(keystrokes and/or cached passwords). Thus many things CONnection, TERminal and NETwork, respectively. There
can change based on these values. are also Russian versions of the same words in the list.
The unique value is used as a parameter to verify the If any of these words are found, then the key logging is
requests to run a new copy and delete the old one. When the enabled for 60 seconds. When the logging delay expires
worm is executed, first it will search for and terminate all (currently every 30 seconds), the log file and the cached
other running copies of itself. Then it will append the passwords are sent to one of several addresses (some of
unique value to the word ‘Restart_’ and run again with this which are currently not operational, some contain obscene
parameter. If this parameter has been specified already, then words and are not listed here), using one of several SMTP
the worm will run itself yet again, but with an additional servers. The addresses are:
parameter which is the unique value appended to the word
‘Kill_’. The purpose of the Kill command is to delete the ZVDOHYIK@yahoo.com rmxqpey@latemodels.com
file that was used to launch the worm initially. DTCELACB@yahoo.com muwripa@fairesuivre.com
WPADJQ12@yahoo.com cxkawog@krovatka.net
Auto Launcher
I1MCH2TH@yahoo.com ssdn@myrealbox.com
The worm uses the malformed MIME exploit to execute
automatically. The emails are HTML format combined with udtzqccc@yahoo.com bgnd2@canada.com
a malformed MIME header that causes Microsoft Outlook YJPFJTGZ@excite.com smr@eurosport.com
to execute the attachment immediately and without prompt-
JGQZCD@excite.com tsnlqd@excite.com
ing. More on the exploit, including the necessary patches to
protect the system against such an attack can be found at OZUNYLRL@excite.com eccles@ballsy.net
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. XHZJ3@excite.com fjshd@rambler.ru
When Badtrans.B is first executed, it copies itself to S_Mentis@mail-x-change.com.
%System% or %Windows%, depending on the control bits,
using the filename contained in the configuration data The SMTP servers are:
(currently ‘kernel32.exe’). Then it registers itself as a
mx2.mail.yahoo.com mail5.rambler.ru
service process (Windows 9x/ME only) to hide its presence
from the Task List in Windows. It creates the key logging mail.ifrance.com mail.canada.com
files in %System%, whose names are specified in the fs.cpio.com smtp.myrealbox.com
configuration data (currently ‘kdll.dll’ and ‘cp_25389.nls’).
mail.monkeybrains.net mail.ukr.net
The log file is encrypted with a simple algorithm, whose usa-com.mr.outblaze.com mail-fwd.rapidsite.net
keys come from a string in the configuration data (currently
‘uckyjw@hotmail.com’). Andreas Marx at AV-Test.org mta.excite.com imap.front.ru
developed a Windows application to decrypt the encrypted inbound.latemodels.com.criticalpath.net
log file. This may be of use to anybody who wants to know
inbound.ballsy.net.criticalpath.net.
what has been logged and possibly distributed to the hacker.
The email addresses as well as the server names, are
The DLL is loaded and several functions are accessed
encrypted in the worm’s code. Since there are Russian
dynamically from it. The code of the DLL is stored in the
server names and Russian words in the password stealing
resource section of the worm’s code. That explains the
routine it is reasonable to assume that this worm has a
choice of UPX, a packer that does not pack resource
Russian origin.
sections. There are some buggy packers that pack resources
and therefore cause problems for certain applications that After 20 seconds, the worm shuts down if the appropriate
use Windows resource APIs. control bit is set.
%Windows% and %System% values vary from system to
system. The worm locates the \Windows folder (by default Sending Mail
this is C:\Windows or C:\Winnt) or the \System folder (by
default this is C:\Windows\System or C:\Winnt\System32) If RAS support is present on the computer, then the worm
and copies itself to that location. waits for an active RAS connection. When such a connec-
tion is made, with a 33 percent chance, the worm searches
for email addresses in *.ht* and *.asp files in the Personal
Password Stealing and Internet Explorer Cache folders. If it finds addresses in
A timer is used to examine the currently open window once these files, then it sends mail to those addresses using the
every second and to check for a window title that contains victim’s SMTP server. The attachment name will be one of
particular characters. Currently, these are ‘LOG’, ‘PAS’, the following:
VIRUS BULLETIN ©2002 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England. Tel +44 1235 555139. /2002/$0.00+2.50
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
10 • VIRUS BULLETIN FEBRUARY 2002
The worm appends two extensions. The first should be one Conclusion
of the following: .mp3, .zip, .doc, but because of a bug, .zip
Evidently the use of exploits in computer viruses is becom-
is never chosen. The second extension that is appended to
ing increasingly common. Additionally, many malicious
the file name is .pif or .scr. The resulting file name would
hackers are creating mass-mailing worms by combining
be something like, for example, CARD.doc.pif or
backdoors and other password-stealing applications to
ME_NUDE.mp3.scr and so on.
make them more successful. Just like Sircam and
If SMTP information can be found on the computer, then it W32.HLLW.GOP@mm, Badtrans started up as a password-
will be used for the From: field. Otherwise, the From: field stealing Trojan and became more successful once the
should be one of the following: MIME encoding was added to the SMTP mass mailing that
was already present.
“Mary L. Adams” mary@c-com.net
Hackers are becoming increasingly interested in your
“Monika Prado” monika@telia.com
personal information! We should all be sure to keep aware
“Support” support@cyberramp.net of recent exploits and apply all security patches to protect
“Admin” admin@gte.net ourselves from a lot of trouble. Apparently the Nimda virus
spread this message well enough, yet Badtrans.B became
“Administrator” <administrator@border.net>
successful with a very similar strategy.
“JESSICA BENAVIDES” <jessica@aol.com>
“Joanna” <joanna@mail.utexas.edu> Win32/Badtrans.B@mm
“Mon S” <spiderroll@hotmail.com>
Alias: I-worm.BadtransII,
“Linda” <lgonzal@hotmail.com>
W32/Badtrans.B@mm.
“Andy” <andy@hweb-media.com>
Type: SMTP mass mailer that uses
“Kelly Andersen” Gravity49@aol.com malformed MIME exploit to execute
“Tina” <tina0828@yahoo.com> itself automatically if Microsoft
Outlook is not patched.
“Rita Tulliani” <powerpuff@videotron.ca>
“JUDY” <JUJUB271@AOL.COM> Size: 29,020 bytes.
VIRUS BULLETIN ©2002 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England. Tel +44 1235 555139. /2002/$0.00+2.50
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.