joachim.richter joachim.richter@usvideocenter.de
Fri, 20 Apr 2001 17:38:25 +0200

Hi List,

I have just received two emails from the following person, answering a question I put on the list this morning

Return-Path: <3dranger@mpinet.net>
Received: from localhost (root@localhost [])	by brainstorm1.usvid (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id SAA31473	for <joachim.richter@localhost>; Fri, 20 Apr 2001 18:29:56 +0200
Received: from	by localhost with POP3 (fetchmail-5.3.0)	for joachim.richter@localhost (single-drop); Fri, 20 Apr 2001 18:29:56 +0200 (MEST)
Received: from fl-mta02.durocom.com (fl-mta02.durocom.com [])	by thundertaste.bpaserver.net (8.9.3/8.9.3) with ESMTP id RAA40208	for <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 17:13:47 +0200 (CEST)
Received: from computer ([]) by fl-mta02.durocom.com with SMTP id <20010420144137.PERJ1198.fl-mta02@computer> for <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 10:41:37 -0400
Message-ID: <00c801c0c9a9$0ffa6ce0$6bda35d8@computer>

From: "Suzanne Thompson" <3dranger@mpinet.net>

To: <joachim.richter@usvideocenter.de>
Subject: Re: Fwd: Re: [ic] URL DISPLAY  
MIME-Version: 1.0
Content-Type: multipart/mixed;	boundary="----=_NextPart_000_00C5_01C0C987.85818600"
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Date: Fri, 20 Apr 2001 10:41:44 -0400
X-UIDL: 2cd42d92cc596ff6a9524ff64bccf340

The attachment was the new Virus I-Worm.Badtrans

This worm can be detected using AVX Professional ftp://ftp.avx.com/avxdesktop/setupavxpro.exe 

Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.


Name: I-Worm.Badtrans
Alias: W32.Badtrans.13312@mm
Detection added : April 12, 2001
Spread Method : Via E-Mail (A copy of the worm will be sent as a reply message to all unread emails in the users Inbox folder)


Worm part:

When the attachment is executed the worm drops the trojan "hkk32.exe" into the Windows folder and executes itself. A copy of worm is created under the file name inetd.exe in Windows folder. The following line is added to "win.ini" in [windows] section: run=c:\windows\inetd.exe.

Trojan part:

The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This trojan drops a file called hksdll.dll used later as hook component to intercept pressed keys. A copy of the worm called kern32.exe is created in Windows folder and the original file hkk32.exe is deleted.

It also add the following key to registry in order to be executed every time windows loads:

kernel32 = c:\windows\system\kern32.exe

It sends information from infected computers to the email address: ld8dl1@mailandnews.com

regards Joe

US Video Center Medien GmbH
Heimsheimer Str 22
70499 Stuttgart

Tel 0711 880252 0
Fax 0711 880252 22
Email joachim.richter@usvideocenter.de