Badtrans Class of Worms

	
ISS X-Force Security Brief

November 28, 2001

Badtrans Class of Worms



Badtrans is a mass-emailer worm that includes some enhanced
functionality to record an infected user's keystrokes. Badtrans is not
intentionally destructive to files or data, but it may cause network
traffic difficulties if an infection is serious. 



The Badtrans worms contain three main components:

- Microsoft Malformed MIME header exploit

- MAPI mass emailing engine

- Keystroke logging functionality



Microsoft Malformed MIME header exploit

Badtrans exploits the Malformed MIME header vulnerability to force

execution of the Trojan attachment, even if the user does not open the

email message. The Nimda class of worms also uses this vulnerability to

increase its effectiveness and its rate of propagation. For more

information on this vulnerability, refer to the Microsoft Security

Bulletin MS01-020:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.



MAPI mass emailing engine

MAPI (Messaging Application Programming Interface) is the interface used
by Microsoft Exchange and Microsoft Outlook to manage email, contacts,
and other data on the host or on the network. Many email worms use MAPI
calls to gather email addresses and send emails. Badtrans reads the
infected user's address book using the MAPI interface, and then sends a
copy of itself to each contact in the list. This functionality is the
same that is found in many other email worms.



Keystroke logging functionality

The author of Badtrans used a modified version of the "Hooker"
keystroke logging software. Hooker was designed to gather information
on the host by looking for passwords, gathering IP addresses, and
capturing keystrokes. Badtrans configured Hooker to send this
information to one of several email addresses. The current
implementation logs the captured information into the file
"CP_25389.NLS". 



Removal Instructions:

1. Delete the CP_25389.NLS file from the C:\Windows\System or 
   C:\Winnt\System32 directory (depending on your configuration).
 
2. Using regedit, locate the 
   HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key.

3. Delete the "kernel32" value.

4. Restart your system.



Additional Information:

ISS X-Force Database, http://www.iss.net/security_center/static/7607.php 



Recommendations:

Security administrators should update perimeter and desktop anti-virus
software with the latest signature files. 



Refer to Microsoft Security Bulletin MS01-020 at the following address
for patch information regarding the Malformed MIME header vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 
Upgrade or patch vulnerable Internet Explorer versions immediately.



Internet Scanner:

Internet Scanner provided support for the Malformed MIME header
vulnerability detailed in Microsoft Security Bulletin MS01-020 in
XPU 5.1. Internet Scanner can check for this vulnerability. Finding
and patching this vulnerability can slow or stop propagation of any
worm or malicious code that attempts to automatically open hostile
attachments. Please note that this check requires administrative
access on scanned hosts.



RealSecure Network Sensor:

Customers may create a user-defined event to detect incoming copies of
Badtrans in email by implementing an Email_Content event using the
string (including quotes):

"====_ABC1234567890DEF_===="



Follow the instructions below to apply the user-defined signature to
your policy.  



1. Choose a policy you want to use, and click 'Customize'.

2. Select the 'User Defined Events' tab.

3. Click 'Add' on the right-hand side of the dialog box.

4. Create a User Defined Event.

5. Type in a name of the event.

6. In the 'Context' field for each event, select 'Email_Content'. 
   In the 'String' field, type the following string (with quotes):
	"====_ABC1234567890DEF_===="

7. Save your changes, and close the window.

8. Click 'Apply to Sensor'.



Customers may also create user-defined events to detect outgoing email
transmissions from computers infected with Badtrans. Badtrans sends
captured information in email messages to the following addresses:



bgnd2@canada.com 

cxkawog@krovatka.net 

DTCELACB@yahoo.com 

eccles@ballsy.net 

I1MCH2TH@yahoo.com 

JGQZCD@excite.com 

muwripa@fairesuivre.com 

OZUNYLRL@excite.com 

S_Mentis@mail-x-change.com 

smr@eurosport.com 

ssdn@myrealbox.com

tsnlqd@excite.com 

udtzqccc@yahoo.com 

WPADJQ12@yahoo.com 

XHZJ3@excite.com 

YJPFJTGZ@excite.com 

ZVDOHYIK@yahoo.com



ISS has the following services for preventing worms or assisting you in
case of a worm infection:



- Penetration Testing for pro-actively identifying potential
  worm-infection areas.

- Emergency Response Services for providing an incident response plan
  for containing and eliminating the worm.

- Remotely Managed AntiVirus Gateway where ISS automatically updates
  and protects against viruses and worms at the gateway.

- Remotely Managed IDS where ISS can monitor and respond to worm 
  attacks.

- Remotely Managed Scanner where ISS can pro-actively identify
  vulnerabilities that would allow a worm into the network and
  provide best practice guides for addressing these weaknesses. 


______



About Internet Security Systems (ISS)

Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 9,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks, the top 10 U.S.
telecommunications companies, and all major branches of the U.S. Federal
Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations
in Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net
or call 888-901-7477.




Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.



Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.



Disclaimer



The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.



X-Force PGP Key available at: sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.



Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.