Yes, I'm starting to see lots of Badtrans.B being caught by my AV gateway. Nevertheless, the while.com thing seems to be Magistr.B instead of Badtrans. Unlike Magistr, Badtrans.B seems to have a fixed pool of random recipients, subjects and attachment names. You can check http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS .B&VSect=T for further details. Cheers Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardosoat_private http://www.whatevernet.com/ > > > > This came to one of our lists this morning hit by a similar attack. The > filenames change and the text seems to be taken from the person's computer > sending the e-mail. > > > > Symantec has raised the alert level for a new computer virus > called > W32.badtrans.b to a 3 out of 4. This virus impacts Windows type > computers. > > > W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of > several > different file names. This worm also drops a backdoor trojan that > logs > keystrokes. > > > > Virus definitions dated November 24, 2001 or later will protect > against > this virus. > > > On Sun, 25 Nov 2001, Jay D. Dyson wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hi folks, > > > > I received an unusual spam complaint from one of my users here. > > What's unusual is that I'd not heard about this payload before. While I > > haven't had time yet to give the payload more than a cursory > look, my gut > > tells me the following is a trojan or worm either deliberately or > > unintentionally disseminated by an AOL user (using a forged > bellsouth.net > > address). Also of import is that the user who sent this > beastie was using > > Microsoft Outlook (as if that isn't a big enough warning sign). > > > > The text accompanying this apparently malicious payload is thus: > > > > - -----BEGIN EXCERPT----- > > > > It can be disabled at your discretion, although the default > > configuration is to allow updates. If you want to disable this feature, > > follow the instructions in the online help documentation under > the topic > > "Turning Attune off and on".\f0\par > > > > \par > > > > You may not modify, reverse-engineer, decompile, create other works > > from, or disassemble the software. Similarly, you may not copy, modify, > > adapt or create other works based upon the Documentation. > > > > - ----- END EXCERPT ----- > > > > The payload is named "while.com" (did some searching on this term > > and came up with goose-eggs). Vital statistics on the file are: > > > > Filesize : 73,728 bytes > > MD5 sum : 0cd0a719f9f91630de366c54c427a834 > > Interesting bits: mshtml.dll (previously ID'd as security risk) > > TLOSS error > > SING error > > DOMAIN error > > > > (The above three items strike me as math-intensive, possibly > > indicating a cracking functionality of some type...or maybe I'm > > whistling in the dark. Like I said, this is a suspected trojan, > > not confirmed.) > > > > Anyway, with the creepy-crawlies typically associated with > > Microsoft-sired worms (use of MS Outlook, generic text, unsolicited > > payload, et cetera), I'm regarding this as a high-probability > trojan/worm. > > > > Anyone interested in vivisecting this beastie can find a copy of > > it here: > > > > The file: http://www.treachery.net/~jdyson/trojans/while.com > > MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5 > > > > Oh...and in case anyone's wondering, I've already sent off a > > letter to AOL to let them know about this. > > > > - -Jay > > > > ( ( _______ > > )) )) .-"There's always time for a good cup of coffee"-. > >====<--. > > C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private > -----<) | = |-' > > `--' `--' `---------- Si vis pacem, para bellum. ----------' > `------' > > > > -----BEGIN PGP SIGNATURE----- > > Version: 2.6.2 > > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > > > iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu > > JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W > > /owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi > > Yj+1XeDe910= > > =MnN0 > > -----END PGP SIGNATURE----- > > > > > > > ------------------------------------------------------------------ > ---------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 08:51:19 PST