 |
|
| Automated PC Solutions |
| VACM - Virus Alerts for the Common Man |
|
|
||||
|
||||
| VACM Home | APCS Home | Links | ||
|
||||
|
||
|
||
 |
||
|
||
|
||||||||||||||||||||||||||||||||||||||||||
In this issue:
------------------------------------
- Badtrans worm virus and backdoor Trojan
Thanks to VACM subscriber Holly for sending the first of
a number of infected emails to us. When in doubt, you
can always forward any "suspicious" emails to us for
analysis. So....
The Bottom Line
-----------------------------------------------
VACM team members have been receiving Badtrans infected mails lately
and are therefore posting this alert to all our subscribers.
Win32.Badtrans.13312 replies to all your unread messages
in your email message folders, but...
the WORST part of the Badtrans payload is that it
installs a backdoor Trojan on your system that gives
the virus perpetrator TOTAL CONTROL OF YOUR SYSTEM
via the internet!
Badtrans arrives as an email with one of the following
attachments:
fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.scr
README.TXT.pif
images.pif
Pics.ZIP.scr
Notice that this virus uses the old "hidden file extension"
ploy to make you think the attachment is harmless.
If you have done the three things VACM has suggested
in past issues, fear not- you're safe because you will
see that the filename really ends in ".PIF" or ".SCR", etc.
If you haven't already, go to the VACM archives at
and do the first three items under the "VACM Archives"
heading. Once you disable hiding of file extensions,
it will be completely obvious if a file attachment
ends in something that you should not mess with.
The complete list of file extensions that you should
not double-click on is in the "Disable Hiding of
File Extensions Now!" article on the VACM web site.
BTW, the reason people are getting viruses from what they
think are harmless attachments is that, by default,
Windows is set to hide the file extensions of file types
that Microsoft thinks, for some reason, you just don't need
to see. In other words, a ".TXT" attachment that is
really a ".EXE", ".VBS", ".PIF" or a lot of other file
types that are really executable programs will look like
a ".TXT" file unless you took our previous advice.
If you got infected by Badtrans...
--------------------------------------------
See the removal instructions (lengthy) at the end of
this article.
Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions
vacm@apcsnh.com
The Badtrans payload...
--------------------------------------------
When the worm is executed, it drops the backdoor Trojan
Hkk32.exe into the \Windows folder and executes it. It then
copies itself into the \Windows folder as inetd.exe,
adds a "run=" line to the Win.ini file, and displays the
following message:
Install Error
File Data corrupt:
Probably due to bad data transmission or
bad disk access.
The next time that the computer is restarted, the worm waits
for five minutes and then uses MAPI to find all unread email
messages and reply to all of them. The worm attaches itself
to the message using one of the following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
---------------------------------------
Removal instructions:
---------------------------------------
Because W32.Badtrans.13312@mm affects different operating
systems in different ways, how you remove this worm
depends on your operating system.
Follow the instructions in the order given.
These instructions assume that you have Norton Antivirus,
which, in our testing, has proven to be your best defense
against virus threats. If you use a different antivirus
product, follow the same steps using your AV software.
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent
virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan,
making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.13312@mm. What
you do next depends on whether NAV was able to delete
files that it detected as infected with
W32.Badtrans.13312@mm:
If NAV was able to delete all the files that it detected
as infected, do one of the following:
If you are running Windows 95/98/Me, skip to the
section To edit the Win.ini file.
If you are running Windows NT/2000 and NAV was able to
delete all the infected files, you are finished.
If NAV was not able to delete all files that it detected
as infected, go on to the next section and see the
instructions for your operating system.
To remove files that cannot be deleted by NAV:
Follow the instructions for your operating system only
if NAV could not delete files that it detected as
infected with W32.Badtrans.13312@mm.
Windows 95/98/Me
-----------------------------------------------------
1. Restart the computer in Safe Mode. For instructions on
how to restart in Safe Mode, see the document How to
restart Windows 9x or Windows Me in Safe Mode.
2. Run the scan again, and delete any files detected
as W32.Badtrans.13312@mm.
3. When the scan is finished, skip to the section To edit
the Win.ini file.
Windows NT/2000
-----------------------------------------------------
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort
the processes alphabetically.
5. Scroll through the list and look for inetd.exe. If you
find the file, click it and then click End Process.
6. Scroll through the list and look for Kern32.exe. If you
find the file, click it and then click End Process.
7. Close the Task Manager.
8. Right-click the My Computer icon on the Windows desktop,
and click Explore.
9. Do one of the following:
If you are running Windows NT, click the View menu and
click Options.
If you are running Windows 2000, click the Tools menu
and click Folder Options.
10. Click the View tab.
11. Do one of the following:
If you are running Windows NT, click "Show all files,"
uncheck "Hide file extensions for known file types,"
and then click OK.
If you are running Windows 2000, click "Show hidden files
and folders" and uncheck "Hide file extensions for
known file types."
12. In the left pane of Windows Explorer, right-click drive C
and then click Find (Windows NT) or Search (Windows 2000).
13. In the In the "Named" or "Search for..." box, type--or
copy and paste--the following file names:
inetd.exe kern32.exe hkk32.exe hksdll.dll
14. Click Find Now or Search Now.
15. When the search is finished, write down the names and
locations of the files that are displayed.
16. Click the Edit menu, and click Select All.
17. Hold down the Shift key down, and press the Delete key.
Continue to hold down the Shift key until you are prompted
to confirm the deletion. Click Yes. (Holding the Shift key
while pressing the Delete key bypasses the Recycle Bin.)
18. Close Windows Explorer.
19. Go on to the section To edit the registry.
---------------------------------------
Now you need to edit the registry...
---------------------------------------
CAUTION: We strongly recommend that you back up the system
registry before making any changes. Incorrect changes to
the registry could result in permanent data loss or corrupted
files. Please make sure you modify only the keys specified.
If you do not know how to backup the registry, please see
the instructions at the end of this article or get help from
a knowledgeable computer technician.
1. Click Start, and click Run. The Run dialog box appears.
2. Type "REGEDIT" and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
4. In the right pane, delete the value
Kernel32 KERN32.EXE
5. Navigate to the key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
6. In the right pane, delete the value
run
7. Exit the Registry Editor.
8. Restart the computer.
9. Run a full virus scan again, and delete any files detected as
W32.Badtrans.13312@mm. This completes the removal procedure
for users of Windows NT/2000. If you are running Windows95, 98 or ME
continue with the following steps.
---------------------------------------
Finally, edit the Win.ini file:
---------------------------------------
If you are running Windows 95/98/Me, you must also
do the following:
1. Click Start, and click Run.
2. Type the following and then click OK:
notepad c:\windows\win.ini
NOTE: If you installed Windows in a different location, make
the appropriate substitution.
3. In the [windows] section, locate the "run=" line. It will look
similar to the following:
run=c:\windows\inetd.exe
4. Remove the text to the right of the "=" sign, so that the
line now reads:
run=
5. Save your changes, and exit the Notepad Editor.
-----------------------------------------------------
How to make a backup of the Windows registry
-----------------------------------------------------
Whenever you need to edit your system registry, it is extremely wise
to first make a backup of the registry. The registry is essentially
the "heart" of your Windows system, and changes to the registry can
cause your system to act unexpectedly, or not at all.
By making a backup of the Windows registry, you will have the ability
to restore the registry in the event that you want to reverse the
changes that you made.
The instructions for backing up the registry depend on which version
of Windows you have.
NOTE: The registry is frequently too large to fit onto a single
floppy disk. This is often the case when using Windows 98
and Windows 2000. When the registry is too large for a
floppy disk, save the registry to the hard disk. In
Windows 2000, the Backup utility allows you to designate
other backup media.
NOTE: The VACM team is providing this information as a convenience.
The procedures below have been tested and used by the VACM team
but are offered as a suggested course of action only.
This information is not intended to replace information
from Microsoft.
Windows 95/98/Me
---------------------------------------
Windows provides two methods for making backups, depending on your
Windows version.
If you are running Windows 95, use RegEdit.exe to create a backup
copy of the registry and save the copy to the Windows desktop.
If you are running Windows 98 or Windows Me, use either RegEdit.exe
or ScanReg to back up the registry.
Windows 98/Me - RegEdit
---------------------------------------
Note that this method will not work for Windows NT or Windows 2000.
Though this method will save a backup, Windows NT/2000 has additional
security protection that prevents this backup from being restored.
To back up the Windows NT/2000 registry, see the Windows NT or
Windows 2000 sections later in this article.
To back up the registry with RegEdit:
1. Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and click OK. The Registry Editor opens.
3. Click the Registry menu and click Export Registry File.
4. Verify the following items in the Export Registry File dialog box:
Save in: Desktop
File name: RegistryBackup
Save as type: Registration Files
Export range: All
5. Click Save.
6. Exit the Registry Editor.
7. Verify that an icon labeled "RegistryBackup.reg" is on the
desktop. The icon represents the backup file. Double-clicking
the icon restores the backup.
WARNING: Do not double-click on the RegistryBackup.reg file you
saved to your Desktop UNLESS you intend to UNDO the changes
that you made to the registry.
After you make the changes you want to the registry, immediately
verify that the results are what you expected.
If the results were not what you expected, and you want to restore
the registry to its previous state, double-click the
RegistryBackup.reg file.
If the results are what you want, delete the RegistryBackup.reg
file after you finish troubleshooting the initial problem.
Do not allow the file to remain on the desktop beyond the
test period. Because double-clicking a .reg file imports
the file's contents into the registry, deleting RegistryBackup.reg
prevents you from inadvertently restoring this version of the
registry later, when it may be out of date.
Windows 98/Me - Scanreg
-------------------------------------
Windows 98 provides an additional means of backing up the registry
that is not available in either Windows 95 or Windows NT. This
involves running the Scanreg command from MS-DOS mode.
To back up the registry with Scanreg:
1. Click Start and click Shut Down. The Shut Down Windows screen appears.
2. Click "Restart in MS-DOS Mode" and click OK. Windows shuts down and restarts to a DOS prompt.
3. At the DOS prompt, type the following command and press Enter:
scanreg /backup
Scanreg will back up your registry and then show a DOS prompt.
Once you have backed up your registry, proceed with making
whatever changes to the registry. After you make the changes
you want to the registry, immediately verify that the results
are what you expected. If the results are not what you expected,
use Scanreg to restore the backup copy of the registry.
To restore the backup of the registry with Scanreg:
1. Click Start and click Shut Down. The Shut Down Windows
screen appears.
2. Click "Restart in MS-DOS Mode" and click OK. Windows shuts
down and restarts to a DOS prompt.
3. At the DOS prompt, type the following command and press Enter:
scanreg /restore
Scanreg checks your registry and displays the list of
available backups.
4. Select the backup at the top of the list. This is the backup
you made earlier.
5. Press R to restore the backup.
6. When the restoration is complete, type win and press Enter
to start Windows.
Windows NT
-------------------------------
Windows NT provides a variety of ways to back up the
Windows NT registry. For more information about Windows NT
backup methods, see articles Q126464 and Q122857 in the
Microsoft Knowledge Base at http://support.microsoft.com/support
You can also use the Rdisk utility to back up the Windows NT
registry files onto a floppy disk.
To back up the Windows NT registry files onto a floppy disk:
1. Click Start and click Run. The Run dialog box appears.
2. Type
rdisk /s
and click OK. The Saving Configuration window appears.
3. When the process is finished, the Setup window opens.
Click Yes to create an Emergency Repair Disk (ERD).
4. Follow the on-screen prompts. When you have finished,
label the disk "Emergency Repair Disk" and include
the current date.
5. Locate the three setup disks that came with your copy
of Windows NT. Note that if you do not have the three
Windows NT Setup disks, you can make your own. For more
information, see article Q131735 in the Microsoft Knowledge
Base, or view the step-by-step instructions at
Microsoft Knowledge Base article
6. Store the three setup disks with the Emergency Repair
Disk. When used with the setup disks, the ERD can
restore the backup even when Windows NT is not bootable.
This process also makes a second backup of the current
registry files and saves the second backup in the
\Windows\Repair folder on the hard drive. These files
are compressed. This backup might not be accessible later
if you cannot boot into Windows NT.
After making changes to the registry, immediately verify
that the results are what you expected. If the results
are not what you expected and you want to restore the
registry to its previous state, boot with the first disk
of the three Windows NT setup disks. When the computer
has booted, click Repair and choose Registry. You will
have a choice of which parts of the registry to restore.
Windows 2000
-----------------------------------
In Windows 2000, the Emergency Repair Disk does not contain
a backup of the registry. To backup the registry, use the
Windows 2000 Backup utility. The Windows 2000 Backup utility
makes a backup of the registry and other system files.
See the document Q240363, How to Back Up and Restore the
System State in the Microsoft Knowledge Base at
http://support.microsoft.com/support
After making changes to the registry, immediately verify
that the results are what you expected.
If the results are not what you expected and you want to
restore the registry to its previous state, restore the
System State backup.
For more information, see the article Rdisk.exe Is Not
Included With Windows 2000 in the Microsoft Knowledge Base
at: http://support.microsoft.com/support.
Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions
|
*** Be sure to check out the appendix at the end of this alert
******** APPENDIX - Handy How-To Tips ********** * How To Boot into Safe Mode Shut the computer down so that the power is off.
|