Security Incidents mailing list archives
RE: Possible Trojan/Virus: while.com.
From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Mon, 26 Nov 2001 16:45:51 -0000
Yes, I'm starting to see lots of Badtrans.B being caught by my AV gateway. Nevertheless, the while.com thing seems to be Magistr.B instead of Badtrans. Unlike Magistr, Badtrans.B seems to have a fixed pool of random recipients, subjects and attachment names. You can check http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS .B&VSect=T for further details. Cheers Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/
This came to one of our lists this morning hit by a similar attack. The filenames change and the text seems to be taken from the person's computer sending the e-mail. Symantec has raised the alert level for a new computer virus called W32.badtrans.b to a 3 out of 4. This virus impacts Windows type computers. W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes. Virus definitions dated November 24, 2001 or later will protect against this virus. On Sun, 25 Nov 2001, Jay D. Dyson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hi folks, I received an unusual spam complaint from one of my users here. What's unusual is that I'd not heard about this payload before. While I haven't had time yet to give the payload more than a cursorylook, my guttells me the following is a trojan or worm either deliberately or unintentionally disseminated by an AOL user (using a forgedbellsouth.netaddress). Also of import is that the user who sent thisbeastie was usingMicrosoft Outlook (as if that isn't a big enough warning sign). The text accompanying this apparently malicious payload is thus: - -----BEGIN EXCERPT----- It can be disabled at your discretion, although the default configuration is to allow updates. If you want to disable this feature, follow the instructions in the online help documentation underthe topic"Turning Attune off and on".\f0\par \par You may not modify, reverse-engineer, decompile, create other works from, or disassemble the software. Similarly, you may not copy, modify, adapt or create other works based upon the Documentation. - ----- END EXCERPT ----- The payload is named "while.com" (did some searching on this term and came up with goose-eggs). Vital statistics on the file are: Filesize : 73,728 bytes MD5 sum : 0cd0a719f9f91630de366c54c427a834 Interesting bits: mshtml.dll (previously ID'd as security risk) TLOSS error SING error DOMAIN error (The above three items strike me as math-intensive, possibly indicating a cracking functionality of some type...or maybe I'm whistling in the dark. Like I said, this is a suspected trojan, not confirmed.) Anyway, with the creepy-crawlies typically associated with Microsoft-sired worms (use of MS Outlook, generic text, unsolicited payload, et cetera), I'm regarding this as a high-probabilitytrojan/worm.Anyone interested in vivisecting this beastie can find a copy of it here: The file: http://www.treachery.net/~jdyson/trojans/while.com MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5 Oh...and in case anyone's wondering, I've already sent off a letter to AOL to let them know about this. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-.>====<--.C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net-----<) | = |-'`--' `--' `---------- Si vis pacem, para bellum. ----------'`------'-----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W /owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi Yj+1XeDe910= =MnN0 -----END PGP SIGNATURE----------------------------------------------------------------------- ----------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible Trojan/Virus: while.com. Jay D. Dyson (Nov 26)
- Re: Possible Trojan/Virus: while.com. joshb (Nov 26)
- RE: Possible Trojan/Virus: while.com. Fernando Cardoso (Nov 26)
- Re: Possible Trojan/Virus: while.com. John Sage (Nov 26)
- Re: Possible Trojan/Virus: while.com. Jay D. Dyson (Nov 26)
- Re: Possible Trojan/Virus: while.com. joshb (Nov 26)