This came to one of our lists this morning hit by a similar attack. The
filenames change and the text seems to be taken from the person's computer
sending the e-mail.
Symantec has raised the alert level for a new computer virus called
W32.badtrans.b to a 3 out of 4. This virus impacts Windows type
computers.
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several
different file names. This worm also drops a backdoor trojan that logs
keystrokes.
Virus definitions dated November 24, 2001 or later will protect against
this virus.
On Sun, 25 Nov 2001, Jay D. Dyson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi folks,
>
> I received an unusual spam complaint from one of my users here.
> What's unusual is that I'd not heard about this payload before. While I
> haven't had time yet to give the payload more than a cursory look, my gut
> tells me the following is a trojan or worm either deliberately or
> unintentionally disseminated by an AOL user (using a forged bellsouth.net
> address). Also of import is that the user who sent this beastie was using
> Microsoft Outlook (as if that isn't a big enough warning sign).
>
> The text accompanying this apparently malicious payload is thus:
>
> - -----BEGIN EXCERPT-----
>
> It can be disabled at your discretion, although the default
> configuration is to allow updates. If you want to disable this feature,
> follow the instructions in the online help documentation under the topic
> "Turning Attune off and on".\f0\par
>
> \par
>
> You may not modify, reverse-engineer, decompile, create other works
> from, or disassemble the software. Similarly, you may not copy, modify,
> adapt or create other works based upon the Documentation.
>
> - ----- END EXCERPT -----
>
> The payload is named "while.com" (did some searching on this term
> and came up with goose-eggs). Vital statistics on the file are:
>
> Filesize : 73,728 bytes
> MD5 sum : 0cd0a719f9f91630de366c54c427a834
> Interesting bits: mshtml.dll (previously ID'd as security risk)
> TLOSS error
> SING error
> DOMAIN error
>
> (The above three items strike me as math-intensive, possibly
> indicating a cracking functionality of some type...or maybe I'm
> whistling in the dark. Like I said, this is a suspected trojan,
> not confirmed.)
>
> Anyway, with the creepy-crawlies typically associated with
> Microsoft-sired worms (use of MS Outlook, generic text, unsolicited
> payload, et cetera), I'm regarding this as a high-probability trojan/worm.
>
> Anyone interested in vivisecting this beastie can find a copy of
> it here:
>
> The file: http://www.treachery.net/~jdyson/trojans/while.com
> MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5
>
> Oh...and in case anyone's wondering, I've already sent off a
> letter to AOL to let them know about this.
>
> - -Jay
>
> ( ( _______
> )) )) .-"There's always time for a good cup of coffee"-. >====<--.
> C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) | = |-'
> `--' `--' `---------- Si vis pacem, para bellum. ----------' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu
> JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W
> /owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi
> Yj+1XeDe910=
> =MnN0
> -----END PGP SIGNATURE-----
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 08:33:05 PST