Thursday, November 17, 2005


This multifaceted threat contains both a worm component to spread and a Trojan horse component to open holes on infected computers for future rogue access.
Badtrans spreads by opening and replying to all unread email on a computer, and then remains active, replying to any new email messages that arrive. The reply contains the following message in its body: “Take a look to the attachment.” When the victim clicks the attachment, which Badtrans names randomly, the worm installs a copy of itself (as INETD.EXE) into the Windows directory (usually C:\ WINDOWS), along with the Trojan horse (HKK32.EXE). This Trojan is a variant of the Hooker Trojan, which steals system passwords and data and emails the information to a remote party.
To prevent multiple replies to the same message and replies to messages from other infected machines, the author instructed Badtrans to insert two spaces at the end of each email’s subject line and not to reply to messages with that trait. But most email servers abide by a well-known standard for formatting email messages, and in doing so; they delete extra spaces at the end of subject lines. This causes Badtrans to perpetually loop messages between infected computers, possibly causing email servers to crash under the heavy data flow.


Post a Comment

<< Home