Date: Thu, 28 Mar 2024 18:11:31 -0400 (EDT) Message-ID: <647916627.513.1711663891339@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_512_1368162182.1711663891336" ------=_Part_512_1368162182.1711663891336 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
W32/BadTrans is a malici= ous Windows program distributed as an email file attachment. Because of a k= nown vulnerability in Internet Explorer, some email programs, such as Outlo= ok Express and Outlook, may execute the malicious program as soon as the em= ail message is viewed.
The format of the MIME headers in an email containing W32/BadTrans attempt= s to exploit a vulnerability in Internet Explorer where certain MIME types = can cause arbitrary code to be executed. For more information, including pa= tch information, see
On systems that are patched for this vulnerability, the user may receive=
a confirmation message asking whether or not to execute the attachment. Ru=
nning the attachment on these systems will
The filename in the email attachment of a W32/BadTrans infected email va= ries from message to message but always has two file extensions. By default= , Windows may hide the true file extension from the user, as discussed in= p>
When the malicious program is executed, a copy is written as "Kernel32.e= xe" in the Windows directory.
C:\WINDOWS\Kernel32.exe MD5 checksum =3D 0bf5eaeed25da53f85086767bcd86e5e Filesize =3D 29020 bytes
Kernel32.exe is executed and the originally executed file attachment is = deleted from the system. Kernel32.exe may run as a system service on some v= ersions of Windows, causing it to not be visible in the default system task= list provided by Microsoft.
Kernel32.exe writes two additional files to disk in the Windows system d= irectory.
C:\WINDOWS\SYSTEM\kdll.dll MD5 checksum =3D c7ceb9fb63edc7fb7c7767f899ff5491 Filesize =3D 5632 bytes C:\WINDOWS\SYSTEM\cp_25389.nls MD5 checksum =3D varies Filesize =3D varies
Reports indicate the "kdll.dll" file contains routines to record a user'= s keystrokes on the infected computer. The "cp_25389.nls" file contains log= ged keystrokes in encrypted form. Some reports indicate the contents of the= log file are sent via email to a particular destination potentially causin= g sensitive information to be exposed.
Kernel32.exe sets a registry key to insure it is restarted when the comp= uter restarts.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32 =3D= "kernel32.exe"
While running, Kernel32.exe checks this registry value approximately eve= ry 10 seconds to insure that it is set.
Reports indicate that W32/BadTrans sends copies of itself via email to a= ddresses found in unanswered email or in files found on the computer system= . Email messages generated and sent by W32/BadTrans have some identifiable = characteristics.
Mime-Version: 1.0 Content-Type: multipart/related; type=3D"multipart/alternative"; boundary=3D"=3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D"
--=3D=3D=3D=3D_ABC1234567= 890DEF_=3D=3D=3D=3D Content-Type: multipart/alternative; boundary=3D"=3D=3D=3D=3D_ABC0987654321DEF_=3D=3D=3D=3D" --=3D=3D=3D=3D_ABC0987654321DEF_=3D=3D=3D=3D Content-Type: text/html; charset=3D"iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D3D#ffffff> <iframe src=3D3Dcid:EA4DMGBP9p height=3D3D0 width=3D3D0> </iframe></BODY></HTML> --=3D=3D=3D=3D_ABC0987654321DEF_=3D=3D=3D=3D-- --=3D=3D=3D=3D_ABC1234567890DEF_=3D=3D=3D=3D Content-Type: audio/x-wav; name=3D"filename.ext.ext" Content-Transfer-Encoding: base64 Content-ID:
Some reports in public forums indicate that a backdoor is installed by W= 32/BadTrans, however the CERT/CC has been unable to confirm these reports i= n our own analysis.
During propagation, sites may experience residual denial-of-service cond= itions on hosts or email systems through which the worm is sent.
If you are running a vulnerable version of Internet Explorer (IE), the C=
ERT/CC recommends upgrading to at least version 5.0 since older versions ar=
e no longer officially maintained by Microsoft. Users of IE 5.0 and above a=
re encouraged to apply patch for the "Automatic Execution of Embedded MIME =
Types" vulnerability available from Microsoft at
Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027= a>
It is important for users to update their anti-virus software. Most anti= virus software vendors have released updated information, tools, or virus d= atabases to help detect and partially recover from this malicious code. A l= ist of vendor-specific antivirus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions.= We recommend using these automatic updates when available.
The W32/BadTrans worm may arrive as an email attachment with a filename = such as "file.ext1.ext2". Users should not open attachments of this = nature. If an attachment of this type absolutely needs to be opened, the CE= RT/CC recommends exercising care to handle it in a way that allows it to be= scanned for malicious code prior to execution.
The CERT/CC is interested in receiving reports of this activity. If mach= ines under your administrative control are compromised, please send mail to= cert@cert.org with the following text included in the subject line: "[CERT#26210]".
=In addition to these specific vendors, you may wish to visit the CERT/CC= 's computer virus resources page located at
Copyright 2001 Carnegie Mellon University.
Revision History
November 27, 2001: Initial Release November 28, 2001: Corrected incident number in reporting section February 28, 2002: Removed extraneous text from F-Secure vendor link