Antivirus software vendors warn of new mass-mailer worm

Antivirus software vendors are issuing warnings about a new variant of a Windows-based mass-mailer worm first seen almost eight months ago, that can install a backdoor Trojan on the victim's computer to enable an attacker to take control of it.

W32/BadTrans.B, or BadTrans.B, was first detected in the U.K. during the last few days, but seems to be spreading rapidly to the U.S. as workers return from the Thanksgiving holiday. In Australia, Symantec has received 27 reports, mainly from corporates since Nov. 24. It has also scaled its virus 'threat assessment' from a Level 3 (medium) to Level 4 (severe). The W32/BadTrans.B mass-mailer worm is sufficiently different enough from the original BadTrans.A that most antivirus software vendors, including Symantec, F-Secure Corp. and Sophos PLC, are asking their customers to install new virus-signature updates for their products in order to recognize and eradicate it.

Network Associates Inc., though, says its McAfee antivirus product doesn't need a virus-signature update to detect BadTrans.B if the software has been updated to detect BadTrans.A.

However, according to Vincent Gallato, senior director at Avert Labs, the research division of Network Associates, a feature called "compressed file scanning" has to be activated in the McAfee AntiVirus desktop software to detect BadTrans.B. For customers who use McAfee's logon script virus detection, this compressed file scanning isn't required, he added.

Once it has infected a Windows-based computer, BadTrans.B spreads by mailing itself to names and addresses stored in the user's Outlook address book. The dangerous bogus e-mail arrives in the victim's e-mail box with any of 15 different attachments. The attachments might be named "Sorryaboutyesterday.doc," "humor.doc", "me_nude.doc," "fun/doc" or "hamster.doc."

Opening the attached file can infect the victim's computer with the worm. But it's not necessary to even open the file to become infected. That's because the worm exploits a MIME-based vulnerability discovered nine months ago in the Internet Explorer-based e-mail client (Microsoft Outlook or Microsoft Outlook Express) that enables the worm to activate without the user opening the attachment.

If the victim receives the e-mail with the BadTrans.B attachment and clicks to open it, the worm does several things to compromise security. First it copies itself to a KERNAL32.exe file in the Windows System directory. Then, after registering itself as a system service, the worm retrieves the user's account information, including password, and installs a keylogger on the local machine as KDLL.DLL, according to Activis, a managed security service with office in the U.K. and the U.S.

The worm records the victim's keystrokes, IP address, date, time, and the application name, to an encrypted file. It uses the victim's default e-mail settings to connect the user's SMTP server to send the information via e-mail to a specific e-mail address.

The e-mail address used by the BadTrans.B worm appears to be the same one used with BadTrans.A, said Network Associates' Gallato.

"So far as we know, it's going to an e-mail address that's been shut down," he said. But the ongoing danger associated with the BadTrans.B worm is that once it has installed its backdoor Trojan, hackers can use a variety of scanning tools to recognize a machine compromised by BadTrans.B and take advantage of it.

"If they don't clean up their machine from this, the machine is vulnerable," Gallato advised.

BadTrans.B is spreading far faster than the original BadTrans.A, according to Activis. "We're seeing a significant volume through the U.K," said John Cheney, CEO and director of operations at Activis, whose gateway service scans customer e-mail for viruses using third-party anti-virus product, plus its own scanning engine.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?