BadTrans Redux

By Jim Freund | Nov 28, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/929741/BadTrans-Redux.htm

Viruses don't get eradicated -- usually they spawn variants, imitators, and occasional rte-introductions. The latter instance appears to be the case with BadTrans, a mass mail exploiter that first reared its ugly head last April. Many end-users in enterprises along with home and small business users returned from the four-day holiday to find one or more instances of the virus in their virtual Inboxes. This variant has been dubbed BadTrans.B by anti-virus software vendors.

The payload of the virus is spread as an e-mail attachment which can have any number of variations in the subject line, recipient, or sender, but, as always, invites the reader to launch an attachment. Once this is done, the attachment sends out e-mails to folk in the victim's address book, attempting to spawn again.

What It Does
The payload is not destructive in and of itself, but as with all mass-mailing viruses, it can cause the equivalent of a Denial of Service attack to e-mail gateways as a result of the outgoing mail it sends. More importantly, BadTrans.B poses a security threat by placing files in the Windows\System directory as KERNEL32.EXE and/or INETD.EXE and changes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the Trojan will be executed the next time Windows is launched. If INETD.EXE was also created, the Registry entry HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows RUN = C:\WINDOWS\INETD.EXE is created as well.

Once the malicious program is run, it attempts to send the IP address of the infected machine to the hacker, provides back-door access to the machine, and runs another program to log the users' keystrokes.

The good news is that most anti-virus software, such as Norton or McAfee Anti-Virus, already have the capability to catch the Trojan before it is launched, even given its new variant. The bad news is that there are still a great many systems where virus signatures are woefully out-of-date, and end-users are not properly educated about the danger of launching attachments from unverified sources. In the case of BadTrans.B, as with Nimda, the payload can be launched automatically from Outlook Express' preview pane unless measures have been taken to prevent this default behavior. (See below for specific instructions.)

User Education
End-users need to made aware that the attachment can look like a mundane file. Given the default settings of Windows, most users will not see the true extension of the filename, but rather a fake extension presented by the virus. Usually the attachment appears to be a Word document, Zip archive, or music file. Some of the true filenames BadTrans.B uses include:

  Card.pif 
  docs.scr 
  fun.pif 
  hamster.ZIP.scr 
  Humor.TXT.pif 
  images.pif 
  New_Napster_Site.DOC.scr 
  news_doc.scr 
  Me_nude.AVI.pif
  Pics.ZIP.scr 
  README.TXT.pif 
  s3msong.MP3.pif 
  searchURL.scr 
  SETUP.pif 
  Sorry_about_yesterday.DOC.pif 
  YOU_are_FAT!.TXT.pif
Note that several of these names have double extensions, which is how the attachment can masquerade as a different type of file.

Prevention and Removal
To alter the dangerous default behavior in Windows 9x or NT, users can open Windows Explorer, click View | Option | View, and uncheck the box with the label "Hide file extensions for known file types". In Windows 2000, the same thing can be done under Tools | Folder Options | View.

To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Go to c:\Windows\System and delete KDLL.DLL and KERNEL32.EXE. You may also want to check if this variant created IDETD.EXE as well.

As always, the bottom line is to make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments.

For more information on handling viruses, read Don't Let Viruses Knock You Out.

--
Jim Freund is the Managing Editor of CrossNodes.