|
BadTrans is a worm spreading with e-mail messages from Win32 systems. The worm sends email messages with infected attached files, as well as installs
|
The worm itself is Win32 executable file (PE EXE file). It was found in-the-wild in a compressed form, and is about 13Kb long. Being decompressed the worm's file length increases to about 40Kb. The worm has a multi-component structure. It consists of two different components that are dropped on a hard disk as three different files and are run as stand-alone programs (email Worm and Trojan). The worm routine is the main component, it keeps trojan program body in its code and installs it into a system while infecting a new machine. The worm component operates similar to I-Worm.ZippedFiles (aka ExploreZip) worm: by using Windows MAPI functions it gets access to Inbox and answers all unread messages. This routine has a bug and may cause transport overload (see below). The trojan component itself is a variant of already known passwords-stealing trojan (see Trojan.PSW.Hooker). It sends information from infected computers to the email address:
ld8dl1@mailandnews.com
When an infected file is run (when a user clicks on attached file and activates it) the worm code gets control. First of all it drops (installs) its components to the system. The worm copies itself to Windows directory with INETD.EXE name and drops the trojan component to Windows directory with HKK32.EXE name. The trojan component is executed then, it moves itself to Windows system directory with KERN32.EXE name, drops an additional library (key logger) with HKSDLL.DLL name. |
Tilbake... |
|
|
|
|
|
|
|