White Papers
W32.Badtrans.B@mm (Symantec)
Overview
Name: W32.Badtrans.B@mm
Discovered on: November 24, 2001
Last Updated on: November 27, 2001 at 07:01:20 AM PST
Due to the increased rate of submissions, Symantec Security Response has upgraded the threat level of this worm from level 3 to level 4 as of 11/26/01.
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.
Type: Worm
Threat Assessment: Low
Threat containment: Easy
Removal: Easy
Payload: Large scale e-mailing: Sends email from addresses found in the default MAPI program.
Compromises security settings: Installs keystroke logging Trojan.
Technical description: This worm arrives as an email with one of several attachment names and a combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.
| Publisher | Symantec | File Format | HTML |
|---|---|---|---|
| Date Published | November 2001 | Downloads | 2 |
| Format | White Papers | ||
| Topics |
|
||
-
Did you find this white paper useful?
White Paper RSS
Download
Register
