333  Warning - virus from Stellamilano@earthlink.net

Date: Mon, 3 Dec 2001 02:31:00 +0000
From: Chris John Jordan <chrisjj@EMAIL.COM>
Subject: Warning - virus from Stellamilano@earthlink.net

Members of this list are likely to have received or to receive an email
containing a virus from Stellamilano@earthlink.net. The email has a
convincing looking subject line, but also an attached file with name
ending .pif or .scr. You should delete the email immediately, and since
just viewing it can have infected your computer, also follow the
instructions below.

- Chris



from www.symantec.com:


W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 09:32:11 AM PST


Printer-friendly version Tell a Friend

Due to the increased rate of submissions, Symantec Security Response has
upgraded the threat level of this worm from level 3 to level 4 as of
November 26, 2001.

W32.Badtrans.B@mm is a MAPI worm that emails itself out using different
file names. It also creates the file \Windows\System\Kdll.dll. It uses
functions from this file to log keystrokes.


Type: Worm

Infection Length: 29,020 bytes

Virus Definitions: November 24, 2001

Threat Assessment:


Wild:
High Damage:
Low Distribution:
High


Wild:

Number of infections: More than 1000
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Damage:

Payload:
Large scale e-mailing: Uses MAPI commands to send email.
Compromises security settings: Installs keystroke logging Trojan horse.
Distribution:

Name of attachment: randomly chosen from preset list
Size of attachment: 29,020 bytes

Technical description:

This worm arrives as an email with one of several attachment names and a
combination of two appended extensions. It contains a set of bits that
control its behavior:

001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)

When it is first executed, it copies itself to %System% or %Windows% as
Kernel32.exe, based on the control bits. Then it registers itself as a
service process (Windows 9x/Me only). It creates the key log file
\%System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key
logging code.

NOTE: %Windows% and %System% are variables. The worm locates the \Windows
folder (by default this is C:\Windows or C:\Winnt) or the \System folder
(by default this is C:\Windows\System or C:\Winnt\System32) and copies
itself to that location.

A timer is used to examine the currently open window once per second, and
to check for a window title that contains any of the following as the
first three characters:


LOG
PAS
REM
CON
TER
NET

These texts form the start of the words LOGon, PASsword, REMote,
CONnection, TERminal, NETwork. There are also Cyrillic versions of these
same words in the list. If any of these words are found, then the key
logging is enabled for 60 seconds. Every 30 seconds, the log file and the
cached passwords are sent to one of these addresses:

ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
fjshd@rambler.ru
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
rmxqpey@latemodels.com
eccles@ballsy.net
suck_my_prick@ijustgotfired.com
suck_my_prick4@ukr.net
thisisno_fucking_good@usa.com
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com

After 20 seconds, the worm will shut down if the appropriate control bit
is set.

If RAS support is present on the computer, then the worm will wait for an
active RAS connection. When one is made, with a 33% chance, the worm will
search for email addresses in *.ht* and *.asp in %Personal% and Internet
Explorer %Cache%. If it finds addresses in these files, then it will send
mail to those addresses. The attachment name will be one of the following:

Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun

In all cases, MAPI will also be used to find unread mail to which the worm
will reply. The subject will be "Re:". In that case, the attachment name
will be one of the following:

PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN

In all cases, the worm will append two extensions. The first will be one
of the following:

.doc
.mp3
.zip

The second extension that is appended to the file name is one of the
following:

.pif
.scr

The resulting file name would look similar to CARD.Doc.pif or
NEWS_DOC.mp3.scr.

If SMTP information can be found on the computer, then it will be used for
the From: field. Otherwise, the From: field will be one of these:

"Mary L. Adams" <mary@c-com.net>
"Monika Prado" <monika@telia.com>
"Support" <support@cyberramp.net>
" Admin" <admin@gte.net>
" Administrator" <administrator@border.net>
"JESSICA BENAVIDES" <jessica@aol.com>
"Joanna" <joanna@mail.utexas.edu>
"Mon S" <spiderroll@hotmail.com>
"Linda" <lgonzal@hotmail.com>
" Andy" <andy@hweb-media.com>
"Kelly Andersen" <Gravity49@aol.com>
"Tina" <tina0828@yahoo.com>
"Rita Tulliani" <powerpuff@videotron.ca>
"JUDY" <JUJUB271@AOL.COM>
" Anna" <aizzo@home.com>

Email messages use the malformed MIME exploit to allow the attachment to
execute in Microsoft Outlook without prompting. For information on this,
go to:

https://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm writes email addresses to the %System%\Protocol.dll file to
prevent multiple emails to the same person.

After sending mail, the worm adds the value

Kernel32 kernel32.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

This will run the worm the next time that you start Windows.


Removal instructions:

To remove this worm, follow the instructions for your operating system.

Basic instructions

Windows 95/98/Me

1. Restart Windows in Safe Mode
2. Run Norton AntiVirus and delete all files that are detected as
W32.Badtrans.B@mm.
3. Remove the value that it added to the registry.

For detailed instructions, see the sections that follow.


Windows NT/2000
1. Rename the file Kernel32.exe.
2. Remove the value added to the registry.
3. Restart the computer.
4. Run Norton AntiVirus and delete all files that are detected as
W32.Badtrans.B@mm.

For detailed instructions, see the sections that follow.


Detailed instructions

To restart 95/98/Me in Safe mode:
For instructions, read the document How to restart Windows 9x or Windows
Me in Safe Mode.


To Rename the file Kernel32.exe under Windows NT/2000
1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is
checked.
3. In the "Named" or "Search for..." box, type the following:

Kernel32.exe

CAUTION: Make sure that you type the full name as shown. You must rename
the Kernel32.exe file, not the legitimate Windows file Kernel32.dll

4. Click Find Now or Search Now.
5. Right-click the file that is displayed and then click Rename.
6. Rename the file to Kernel32.old and press Enter.
7. Close the Find or Search window.
8. Restart the computer.


To run Norton AntiVirus and delete detected files:

CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have
already renamed the Kernel32.exe file (Windows NT/2000).

1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Badtrans.B@mm.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before
you make any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys that are specified. Please see the document How to back up
the Windows registry before you proceed. This document is available from
the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541)
984-2490, select option 2, and then request document 927002.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

4. In the right pane, delete the following value:

Kernel32 kernel32.exe

5. Click Registry, and then click Exit.



Additional information:

Prevention

Corporate email filtering systems should block all email that have
attachments with the extensions .scr and .pif.
Home users should not open any email that has an attachment in which the
second extension is .pif or .scr. Any email that has such an attachment
should be deleted.





Write-up by: Peter Ferrie

Date: Mon, 3 Dec 2001 03:00:00 +0000
From: Chris John Jordan <chrisjj@EMAIL.COM>
Subject: Re: Warning - virus from Stellamilano@earthlink.net

> Members of this list are likely to have received or to receive an email
> containing a virus

Correction (FWIW): Past /posters/ to the list are likely...

- Chris