Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Badtrans.13312

Win32/Badtrans.13312 is a worm combined with a trojan horse.  Its size is 13312 bytes and it is compressed by the packing utility UPX.  After it is unpacked it is more than 50 kilobytes. It arrives as an email which has an infected file attachment.  When the file attachment is run the computer is infected.  When the file is installed the worm creates files inetd.exe and hkk32.exe in the directory where Windows is installed (typically C:\WINDOWS), then the file hkk32.exe is run.  This file creates other files: hksdll.dll, cp_23421.nls and KERN32.EXE in the subdirectory \SYSTEM of the directory with Windows.  After creating the aforementioned files, the hkk32.exe file is deleted.  The worm itself is located in the file inetd.exe; the other files are part of a Trojan horse.  The worm ensures its activation under the operating system Windows 9x by entering into the file win.ini to the section [windows] the following commands:

load=
run=C:\WINDOWS\inetd.exe

The same task is under Windows NT ensured by a key in the system registry.  Activation of the Trojan horse after a restart is ensured by a key in HKEY_LOCAL_MACHINE in the subsection \Software\Microsoft\Windows\CurrentVersion\RunOnce.  By modification of the key, repeated activation is ensured.  When the installation is finished the following window is displayed:

After a restart the worm "answers" mail that has not been read yet.  The message subject in the email message sent out by the worm is the same but the prefix (Re:) is added and moreover two spaces are added to the end.  In the attachment is a copy of the worm under one of the following names:

fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.scr
README.TXT.pif
images.pif
Pics.ZIP.scr

The content of the message depends whether there is any text in the body of the message that the worm is answering to. If the message body is blank the message body the worm generates will contain the following text  "Take a look to the attachment". If the message body is not blank the worm generated message will have the following format:

  • Name of the sender who wrote
  • first two lines of the original message
  • > Take a look to the attachment.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.

 

PROTECT YOUR COMPUTER!
ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 

Solutions - Products - Purchase - Download - Support - Threat Center - Partners - Company - Global Sites
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.