WildWayz
11-26-2001, 10:50 AM
Hi ya,
Just got this from Star Internet's Message Labs...
From: "Customer Services" <custmail@star.net.uk>
To: "James Kapherr" <james.kapherr@hlhltd.co.uk>
Sent: Monday, November 26, 2001 1:08 PM
Subject: Star Internet - IMPORTANT, New Virus Outbreak
Dear Customer
We write to advise you that there is a new and dangerous virus in circulation with the key details as follows:
- Virus name: BadTrans
- Official name: W32/BadTrans.B-mm
- Number of copies seen so far: 12,280
- Time & Date first Captured: 23 Nov 2001 18:40:36 GMT from UK
- Origin of first intercepted copy: UK
- Number of countries seen active: 37
- Top three most active countries: UK, US, Germany
As a Star customer you are automatically protected from this virus.
Distribution Potential
MessageLabs are intercepting the BadTrans.B virus at a rate of over 100 per minute and it is one of the fastest spreading viruses we have ever seen. The virus is now widespread - we have stopped copies coming from over 30 countries and it has replaced SirCam at No. 1 in MessageLabs' daily top 10 which had occupied the No. 1 spot for over 4 months.
Technical Information
Propagation:
This is a mass mailing virus which uses an unusual and potentially devastating way of spreading by replying to unread messages in the recipients in-box. Then, the next time Windows is loaded the virus will further spread by replying to unread messages across additional Outlook folders. The virus makes use of the ms01-020 exploit, which means that it can execute on reading or previewing the email from within Microsoft Outlook - it is not necessary to double click on any attachment. A patch to fix this exploit is available from Microsoft.
Subject:
Subject line is selected from an email in the infected users PC and prefixed with 'Re: '
Attachment:
Variable - built up from several elements. Examples include:
S3MSONG.DOC.scr
Pics.DOC.scr
HUMOR.MP3.scr
Sorry_about_yesterday.MP3.pif
README.MP3.scr
ME_NUDE.MP3.scr
fun.MP3.pif
NEWS_DOC.DOC.scr
docs.DOC.pif
images.DOC.pif
HAMSTER.DOC.pif
SEARCHURL.MP3.pif
Payload:
The virus also drops a password stealing Trojan KDLL.DLL previously identified as Trojan.PSW.Hooker. The trojan component uses key logging to send confidential information (passwords, credit card details etc.) from infected computers to an email address of the virus writer.
The trojan component moves itself to the Windows system directory with the filename KERN32.EXE, drops an additional library (key logger) with filename HKSDLL.DLL.
The trojan registers itself in the Registry in RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Windows loads the trojan file on each restart.
Detection:
The BadTrans virus was intercepted heuristically using Skeptic, MessageLabs patented and revolutionary scanner which uses real time heuristics to detect new viruses. No MessageLabs customer has been infected by this virus.
MessageLabs Comment - This virus once again demonstrates that the only way to provide comprehensive protection against the growing virus threat is through a managed service supported around the clock and by deploying advanced heuristics to identify new viruses pro-actively and without the need for signatures.
For further information and up-to-date statistics please visit www.messagelabs.com <http://www.messagelabs.com/>
Regards
Star Customer Services
So get patching !
James
Just got this from Star Internet's Message Labs...
From: "Customer Services" <custmail@star.net.uk>
To: "James Kapherr" <james.kapherr@hlhltd.co.uk>
Sent: Monday, November 26, 2001 1:08 PM
Subject: Star Internet - IMPORTANT, New Virus Outbreak
Dear Customer
We write to advise you that there is a new and dangerous virus in circulation with the key details as follows:
- Virus name: BadTrans
- Official name: W32/BadTrans.B-mm
- Number of copies seen so far: 12,280
- Time & Date first Captured: 23 Nov 2001 18:40:36 GMT from UK
- Origin of first intercepted copy: UK
- Number of countries seen active: 37
- Top three most active countries: UK, US, Germany
As a Star customer you are automatically protected from this virus.
Distribution Potential
MessageLabs are intercepting the BadTrans.B virus at a rate of over 100 per minute and it is one of the fastest spreading viruses we have ever seen. The virus is now widespread - we have stopped copies coming from over 30 countries and it has replaced SirCam at No. 1 in MessageLabs' daily top 10 which had occupied the No. 1 spot for over 4 months.
Technical Information
Propagation:
This is a mass mailing virus which uses an unusual and potentially devastating way of spreading by replying to unread messages in the recipients in-box. Then, the next time Windows is loaded the virus will further spread by replying to unread messages across additional Outlook folders. The virus makes use of the ms01-020 exploit, which means that it can execute on reading or previewing the email from within Microsoft Outlook - it is not necessary to double click on any attachment. A patch to fix this exploit is available from Microsoft.
Subject:
Subject line is selected from an email in the infected users PC and prefixed with 'Re: '
Attachment:
Variable - built up from several elements. Examples include:
S3MSONG.DOC.scr
Pics.DOC.scr
HUMOR.MP3.scr
Sorry_about_yesterday.MP3.pif
README.MP3.scr
ME_NUDE.MP3.scr
fun.MP3.pif
NEWS_DOC.DOC.scr
docs.DOC.pif
images.DOC.pif
HAMSTER.DOC.pif
SEARCHURL.MP3.pif
Payload:
The virus also drops a password stealing Trojan KDLL.DLL previously identified as Trojan.PSW.Hooker. The trojan component uses key logging to send confidential information (passwords, credit card details etc.) from infected computers to an email address of the virus writer.
The trojan component moves itself to the Windows system directory with the filename KERN32.EXE, drops an additional library (key logger) with filename HKSDLL.DLL.
The trojan registers itself in the Registry in RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Windows loads the trojan file on each restart.
Detection:
The BadTrans virus was intercepted heuristically using Skeptic, MessageLabs patented and revolutionary scanner which uses real time heuristics to detect new viruses. No MessageLabs customer has been infected by this virus.
MessageLabs Comment - This virus once again demonstrates that the only way to provide comprehensive protection against the growing virus threat is through a managed service supported around the clock and by deploying advanced heuristics to identify new viruses pro-actively and without the need for signatures.
For further information and up-to-date statistics please visit www.messagelabs.com <http://www.messagelabs.com/>
Regards
Star Customer Services
So get patching !
James