More info on Badtrans.B (no Mil-veh content)

From: David Richoux (tubaman@wombat.net)
Date: Tue Nov 27 2001 - 09:55:09 PST

Next message: Rikk Rogers: "More virus crap, delete if U don't care for it."
Previous message: Geoff Winnington-Ball: "Re: [MV] Fw: Badtrans worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I go this from a friend who is very well informed on virus-hacker things...

Dave Richoux
-------------------------------------------------------
It seems "unpatched" versions of Internet Explorer 5.01 and 5.5 have a
special Thanksgiving treat awaiting the unfortunate PC user who also
still uses OUTLOOK.

Today's PC enfant terrible is the Badtrans.B

BACKGROUND

The FBI has been refining hacker tools to place software on a person's
computer that record all the keystrokes typed in the course of the day.
This "trojan horse" then sends a report home that hopefully contains
account numbers and passwords. The FBI calls the initiative "Magic
Lantern" and it is described at:

http://news.cnet.com/news/0-1003-200-7944351.html

Meanwhile, someone started sending these "worms" out via email. Maybe
(my theory) they did it so that the anti viral companies would write
code that would also catch any FBI trojans.

------------------------

"While Badtrans.B is not destructive, it does install a keylogger, a
program that records what a person using the infected PC types and then
sends the information to the virus writer's e-mail address. The
key-logging program, known as Backdoor-NK.server, focuses specifically
on four software functions that are used by programs to allow a person
to enter a password, so it mainly records account information entered.

The FBI is reportedly using just such a program to collect the digital
keys to suspected criminals' accounts.

A PC user will first encounter the worm as an e-mail message--possibly
from someone he or she knows--with an executable attachment. The worm
propagates by sending itself as a reply to any unread messages in the
person's Outlook mailbox. It also sends itself to e-mail addresses
culled from images of Web pages contained in the "My Documents" folder
and the browser's cache.

The virus uses a vulnerability in Microsoft's Internet Explorer 5.01 and
5.5 to automatically execute itself on PCs that don't have a patched Web
browser. Opening the e-mail in a separate window or Outlook's preview
pane will cause the worm to execute on unpatched machines."

http://news.cnet.com/news/0-1003-200-7944351.html

Next message: Rikk Rogers: "More virus crap, delete if U don't care for it."
Previous message: Geoff Winnington-Ball: "Re: [MV] Fw: Badtrans worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Dec 07 2001 - 00:37:00 PST