W32/Badtrans-A

Kategorie: Viren und Spyware Schutz verfügbar seit:12 Apr 2001 00:00:00 (GMT)
Typ: Win32 worm Zuletzt aktualisiert:12 Apr 2001 00:00:00 (GMT)
Verbreitung:

Download Kostenloses Virus Removal Tool downloaden – Finden Sie Bedrohungen, die Ihre Virenschutzsoftware übersehen hat

W32/Badtrans-A is a worm which uses MAPI to spread. The worm arrives in an email message with the text "Take a look to the attachment".

The attachment filename is randomly chosen from the following list:

fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.SCR
README.TXT.pif
images.pif
Pics.ZIP.scr

If the attached file is run, it displays the message "File data corrupt probably due to bad data transmission or bad disk access.", copies itself into the Windows directory with the filename INETD.EXE and changes win.ini so that the file is run at Windows startup.

When a new message arrives the worm sends a reply with an infected attachment.

The worm also drops a file kern32.exe, which is a password-stealing Trojan, Troj/Keylog-C, into the Windows system directory and changes the registry key

\HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce so that the Trojan runs at Windows startup.

Download Sophos Produkte kostenlos testen
Jetzt downloaden

© 1997 - 2012 Sophos Ltd. Alle Rechte vorbehalten. Rechtliche Hinweise Datenschutzrichtlinie Impressum