Antivirus software vendors warn of new mass-mailer worm
- — 27 November, 2001 09:45
Antivirus software vendors are issuing warnings about a new variant of a Windows-based mass-mailer worm first seen almost eight months ago, that can install a backdoor Trojan on the victim's computer to enable an attacker to take control of it.
W32/BadTrans.B, or BadTrans.B, was first detected in the U.K. during the last few days, but seems to be spreading rapidly to the U.S. as workers return from the Thanksgiving holiday. In Australia, Symantec has received 27 reports, mainly from corporates since Nov. 24. It has also scaled its virus 'threat assessment' from a Level 3 (medium) to Level 4 (severe). The W32/BadTrans.B mass-mailer worm is sufficiently different enough from the original BadTrans.A that most antivirus software vendors, including Symantec, F-Secure Corp. and Sophos PLC, are asking their customers to install new virus-signature updates for their products in order to recognize and eradicate it.
Network Associates Inc., though, says its McAfee antivirus product doesn't need a virus-signature update to detect BadTrans.B if the software has been updated to detect BadTrans.A.
However, according to Vincent Gallato, senior director at Avert Labs, the research division of Network Associates, a feature called "compressed file scanning" has to be activated in the McAfee AntiVirus desktop software to detect BadTrans.B. For customers who use McAfee's logon script virus detection, this compressed file scanning isn't required, he added.
Once it has infected a Windows-based computer, BadTrans.B spreads by mailing itself to names and addresses stored in the user's Outlook address book. The dangerous bogus e-mail arrives in the victim's e-mail box with any of 15 different attachments. The attachments might be named "Sorryaboutyesterday.doc," "humor.doc", "me_nude.doc," "fun/doc" or "hamster.doc."
Opening the attached file can infect the victim's computer with the worm. But it's not necessary to even open the file to become infected. That's because the worm exploits a MIME-based vulnerability discovered nine months ago in the Internet Explorer-based e-mail client (Microsoft Outlook or Microsoft Outlook Express) that enables the worm to activate without the user opening the attachment.
If the victim receives the e-mail with the BadTrans.B attachment and clicks to open it, the worm does several things to compromise security. First it copies itself to a KERNAL32.exe file in the Windows System directory. Then, after registering itself as a system service, the worm retrieves the user's account information, including password, and installs a keylogger on the local machine as KDLL.DLL, according to Activis, a managed security service with office in the U.K. and the U.S.
The worm records the victim's keystrokes, IP address, date, time, and the application name, to an encrypted file. It uses the victim's default e-mail settings to connect the user's SMTP server to send the information via e-mail to a specific e-mail address.
The e-mail address used by the BadTrans.B worm appears to be the same one used with BadTrans.A, said Network Associates' Gallato.
"So far as we know, it's going to an e-mail address that's been shut down," he said. But the ongoing danger associated with the BadTrans.B worm is that once it has installed its backdoor Trojan, hackers can use a variety of scanning tools to recognize a machine compromised by BadTrans.B and take advantage of it.
"If they don't clean up their machine from this, the machine is vulnerable," Gallato advised.
BadTrans.B is spreading far faster than the original BadTrans.A, according to Activis. "We're seeing a significant volume through the U.K," said John Cheney, CEO and director of operations at Activis, whose gateway service scans customer e-mail for viruses using third-party anti-virus product, plus its own scanning engine.