Security Incidents mailing list archives

Re: W32.Badtrans.B@mm

From: Marc Fossi <mfossi () securityfocus com>
Date: Mon, 26 Nov 2001 14:46:48 -0700 (MST)

"It drops a keyboard hooker with the KDLL.DLL name, and sends stolen info
to the "uckyjw () hotmail com" e-mail address. The log info is stored in the
Windows system directory with the CP_25389.NLS name."

http://www.viruslist.com/eng/default.asp?tnews=12&nview=1&id=1255&page=0
(url may be wrapped)

"The worm uses the default account and the default SMTP server of the
local
machine. This information can be found in the following registry entries:"

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B&VSect=T
(url may be wrapped)

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com

On Mon, 26 Nov 2001, Liudvikas Bukys wrote:

I am dismayed to find that ALL of the anti-virus vendors have decided to
limit their "tech details" so much that I can't find a published account
of how the keyboard-logging trojan contacts the outside world.  It would
be helpful to know what hosts or names it connects out to, without having to
wait for a "live one" to appear to before I find out.

Does anybody here know?

Liudvikas Bukys
bukys () rochester edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

W32.Badtrans.B@mm Liudvikas Bukys (Nov 26)
- Re: W32.Badtrans.B@mm Marc Fossi (Nov 26)
- Message not available
  - Re: W32.Badtrans.B@mm Brett Glass (Nov 26)
- Re: W32.Badtrans.B@mm John Sage (Nov 26)