Badtrans worm leaves backdoors, logs data
A new variant of a mass-mailer Internet worm that installs a backdoor program which can allow attackers to access recipients' computers was spreading on the Internet Monday, according to virus alerts from a number of antivirus companies.
The worm, called Badtrans.B, is a new variant of the older Badtrans virus, according to antivirus companies. The variant is executed when a user opens an infected e-mail, and does not require a user to click on an attachment, as many mass mailer worms do, according to Activis Ltd. and TruSecure Corp. virus alerts. The worm exploits a security vulnerability in Microsoft Corp.'s Outlook and Outlook Express e-mail clients to automatically execute the attachment when the e-mail is opened, they said.
Badtrans is even more devious in that it arrives in the recipient's in-box with a "Re:" subject line to an e-mail actually sent by the user, according to McAfee.com Corp. and TruSecure.
There is some disagreement, however, as to what happens after the worm is executed. According to TruSecure and Network Associates Inc., the parent company of McAfee.com, the worm will send itself to all e-mail addresses listed in unread messages in the victim system's inbox. Activis, however, contends that the worm sends itself to all addresses listed in the user's address book, much like other mass mailers.
What happens next isn't in doubt, however, as all companies agree that the worm then installs a Trojan horse, or backdoor, program that will allow an attacker to gain access to the infected computer and then attempts to sends the IP (Internet Protocol) address of the infected machine to the worm's author.
After execution, Badtrans also runs a keylogger program that can record all data entered via the keyboard, including passwords, credit card numbers and other personal information, according to Activis and McAfee.com. The data gathered by the keylogger is saved in encrypted form on the system's hard drive, they said.
The worm will appear in e-mail boxes with either no text in the body of the message or some of the original message's text, the companies said. The attachments included with the worm will appear to be .MP3, .DOC or .ZIP files, but are actually double extension files with .SCR or .PIF extensions, the companies said. These attachments are 13,312 bytes in length, according to Network Associates.
The companies recommended that users update their antivirus software immediately and that companies block the transfer of attached files at their e-mail gateways. Users are also urged to apply the patch to close the security hole that the worm exploits.
The patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.
ITworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
