:: NORMAN :: Antivirus | Firewall

Proactive IT security

Home

News

Support

Partner

Select country

Select product

News » Press releases » 2001 » New e-mail worm spreading fast

New e-mail worm spreading fast

Add to My Norman Bookmarks

Oslo, 25 November 2001

The Data Security Company Norman warns against a new mass mailer worm, W32/Badtrans.B@mm. This worm, similar to the recent W32/Aliz and W32/Nimda worms uses a special trick to execute even if a mail is just opened or previewed in Outlook/Outlook Express.

This is a variant of the known Badtrans.A worm, updated with some new tricks. When run, it will copy itself to the Windows system directory under the name KERNEL32.EXE - should not be mistaken for the Windows main library KERNEL32.DLL

Destructivity and Payload

The worm installs a key logging utility, KDLL.DLL, in the Windows system directory.

This worm, similar to the recent W32/Aliz and W32/Nimda worms uses a special trick to execute even if a mail is just opened or previewed in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".

Spreading mechanism and attachment

The worm uses the Microsoft Mail API to spread. The attachment will have double extensions, where the first is DOC, MP3 or ZIP, and the second is either PIF or SCR.

The attachment name can consist of one of the following pieces: Fun, Humor, docs, info, Sorry_about_yesterday, Me_nude, Card, SETUP, stuff, YOU_are_FAT!, HAMSTER, news_doc, New_Napster_Site, README, images, pics, S3MSONG, SEARCHURL

Information about the security hole and patch is available from:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without Service Pack 2. Users who have this configuration should apply the available patch or disable Active Scripting. Information on how to do this is available in Norman's Security Information found here: http://www.norman.no/security_info/1999_43.shtml

Norman Virus Control with definitions files from November 25th or later detects this worm. Users are encouraged to update their Norman Virus Control protection to the most recent version.

More information on www.norman.com

For further information, please contact

Norman ASA, VP Marketing Bjørn A. Windfeldt, tel.+47 67 10 97 76, mob. +47 41 53 97 76

Security Information

>>	The Internet Crime Complaint Center's report for 2007
>>	2007

Security News and Advisories

>>	Three critical updates for Microsoft systems in June 2008
>>	Three critical updates for Microsoft systems in May 2008

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam and antiadware, the company plays an important role in the data industry.