Re: W32.Badtrans.B@mm

From: Brett Glass (brettat_private)
Date: Mon Nov 26 2001 - 14:13:15 PST

Next message: John Sage: "Re: W32.Badtrans.B@mm"

Previous message: Patrick van Zweden: "Re: any1 stumbled across eCkit ?"
Next in thread: John Sage: "Re: W32.Badtrans.B@mm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Trend Micro's description is sufficiently different from Symantec's
that there is good reason to believe that there is more than one
variant of the worm and/or that it mutates as it spreads. (In
particular, the lists of attachment file names posted by these
two antivirus companies are very different -- perhaps indicating
that the worm picks up new file names from machines through
which it propagates.)

--Brett Glass

At 02:46 PM 11/26/2001, Marc Fossi wrote:
  
>"It drops a keyboard hooker with the KDLL.DLL name, and sends stolen info
>to the "uckyjwat_private" e-mail address. The log info is stored in the
>Windows system directory with the CP_25389.NLS name."
>
>http://www.viruslist.com/eng/default.asp?tnews=12&nview=1&id=1255&page=0
>(url may be wrapped)
>
>"The worm uses the default account and the default SMTP server of the
>local
>machine. This information can be found in the following registry entries:"
>
>http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B&VSect=T
>(url may be wrapped)
>
>Marc Fossi, MCSE
>SecurityFocus
>www.securityfocus.com
>
>On Mon, 26 Nov 2001, Liudvikas Bukys wrote:
>
>> I am dismayed to find that ALL of the anti-virus vendors have decided to
>> limit their "tech details" so much that I can't find a published account
>> of how the keyboard-logging trojan contacts the outside world.  It would
>> be helpful to know what hosts or names it connects out to, without having to
>> wait for a "live one" to appear to before I find out.
>>
>> Does anybody here know?
>>
>> Liudvikas Bukys
>> bukysat_private
>>
>> ----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>>
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Sage: "Re: W32.Badtrans.B@mm"
Previous message: Patrick van Zweden: "Re: any1 stumbled across eCkit ?"
Next in thread: John Sage: "Re: W32.Badtrans.B@mm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 14:36:30 PST