[ic] VIRUS WARNING !!!!
Fri, 20 Apr 2001 17:38:25 +0200
I have just received two emails from the following person, answering a question I put on the list this morning
Received: from localhost (root@localhost [127.0.0.1]) by brainstorm1.usvid (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id SAA31473 for <joachim.richter@localhost>; Fri, 20 Apr 2001 18:29:56 +0200
Received: from 18.104.22.168 by localhost with POP3 (fetchmail-5.3.0) for joachim.richter@localhost (single-drop); Fri, 20 Apr 2001 18:29:56 +0200 (MEST)
Received: from fl-mta02.durocom.com (fl-mta02.durocom.com [22.214.171.124]) by thundertaste.bpaserver.net (8.9.3/8.9.3) with ESMTP id RAA40208 for <email@example.com>; Fri, 20 Apr 2001 17:13:47 +0200 (CEST)
Received: from computer ([126.96.36.199]) by fl-mta02.durocom.com with SMTP id <20010420144137.PERJ1198.fl-mta02@computer> for <firstname.lastname@example.org>; Fri, 20 Apr 2001 10:41:37 -0400
From: "Suzanne Thompson" <email@example.com>
Subject: Re: Fwd: Re: [ic] URL DISPLAY
Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C5_01C0C987.85818600"
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Date: Fri, 20 Apr 2001 10:41:44 -0400
The attachment was the new Virus I-Worm.Badtrans
This worm can be detected using AVX Professional ftp://ftp.avx.com/avxdesktop/setupavxpro.exe
Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.
Detection added : April 12, 2001
Spread Method : Via E-Mail (A copy of the worm will be sent as a reply message to all unread emails in the users Inbox folder)
When the attachment is executed the worm drops the trojan "hkk32.exe" into the Windows folder and executes itself. A copy of worm is created under the file name inetd.exe in Windows folder. The following line is added to "win.ini" in [windows] section: run=c:\windows\inetd.exe.
The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This trojan drops a file called hksdll.dll used later as hook component to intercept pressed keys. A copy of the worm called kern32.exe is created in Windows folder and the original file hkk32.exe is deleted.
It also add the following key to registry in order to be executed every time windows loads:
kernel32 = c:\windows\system\kern32.exe
It sends information from infected computers to the email address: firstname.lastname@example.org
US Video Center Medien GmbH
Heimsheimer Str 22
Tel 0711 880252 0
Fax 0711 880252 22