Viruses don’t get eradicated — usually they spawn variants, imitators, and occasional rte-introductions. The latter instance appears to be the case with BadTrans, a mass mail exploiter that first reared its ugly head last April. Many end-users in enterprises along with home and small business users returned from the four-day holiday to find one or more instances of the virus in their virtual Inboxes. This variant has been dubbed BadTrans.B by anti-virus software vendors.
The payload of the virus is spread as an e-mail attachment which can have any number of variations in the subject line, recipient, or sender, but, as always, invites the reader to launch an attachment. Once this is done, the attachment sends out e-mails to folk in the victim’s address book, attempting to spawn again.
What It Does
The payload is not destructive in and of itself, but as with all mass-mailing viruses, it can cause the equivalent of a Denial of Service attack to e-mail gateways as a result of the outgoing mail it sends. More importantly, BadTrans.B poses a security threat by placing files in the WindowsSystem directory as KERNEL32.EXE and/or INETD.EXE and changes the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce so that the Trojan will be executed the next time Windows is launched. If INETD.EXE was also created, the Registry entry HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows RUN = C:WINDOWSINETD.EXE is created as well.
Once the malicious program is run, it attempts to send the IP address of the infected machine to the hacker, provides back-door access to the machine, and runs another program to log the users’ keystrokes.
The good news is that most anti-virus software, such as Norton or McAfee Anti-Virus, already have the capability to catch the Trojan before it is launched, even given its new variant. The bad news is that there are still a great many systems where virus signatures are woefully out-of-date, and end-users are not properly educated about the danger of launching attachments from unverified sources. In the case of BadTrans.B, as with Nimda, the payload can be launched automatically from Outlook Express’ preview pane unless measures have been taken to prevent this default behavior. (See below for specific instructions.)
End-users need to made aware that the attachment can look like a mundane file. Given the default settings of Windows, most users will not see the true extension of the filename, but rather a fake extension presented by the virus. Usually the attachment appears to be a Word document, Zip archive, or music file. Some of the true filenames BadTrans.B uses include:
Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif
Note that several of these names have double extensions, which is how the attachment can masquerade as a different type of file.
Prevention and Removal
To alter the dangerous default behavior in Windows 9x or NT, users can open Windows Explorer, click View | Option | View, and uncheck the box with the label “Hide file extensions for known file types”. In Windows 2000, the same thing can be done under Tools | Folder Options | View.
To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Go to c:WindowsSystem and delete KDLL.DLL and KERNEL32.EXE. You may also want to check if this variant created IDETD.EXE as well.
As always, the bottom line is to make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express’ default behavior so as not to launch files automatically, and be sure to educate your users about attachments.
For more information on handling viruses, read Don’t Let Viruses Knock You Out.
Jim Freund is the Managing Editor of CrossNodes.