[Dshield] FYI: W32.Badtrans.B@mm

John Sage jsage at finchhaven.com
Sun Nov 25 20:55:28 GMT 2001


At the risk of restating the obvious, for those on Window$ boxes, watch 
out for funny emails.

I've received two in an hour, now, 11/25/01 -- characteristics:

File size about 39k;
subject line: "RE: ";

Content-Type: audio/x-wav;
name="news_doc.DOC.scr"; -- or some variation thereon...
Content-Transfer-Encoding: base64;
Content-ID: <EA4DMGBP9p>

A search at Symantec yeilded:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

w32.badtrans.b at mm.html, discovered 11/24/01

"W32.Badtrans.B at mm is a MAPI worm that emails itself out as one of 
several different file names. This worm also drops a backdoor trojan 
that logs keystrokes."


A possible variant of W32.Badtrans.13312 at mm, discovered 04/11/01


Forewarned is forearmed etc etc etc...


- John



The first:



 From - Sun Nov 25 09:24:32 2001
Delivery-date: Sun, 25 Nov 2001 12:09:31 -0500
Received: from [24.51.160.84] (helo=aol.com)
by rcommail2 with smtp (Exim 3.16 #2)
id 1682mX-0005c1-00
for jsage at blahblahblah.com; Sun, 25 Nov 2001 12:09:29 -0500
From: " Administrator" <administrator at border.net>
To: jsage at blahblahblah.com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <E1682mX-0005c1-00 at rcommail2>
Date: Sun, 25 Nov 2001 12:09:29 -0500

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="news_doc.DOC.scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

<snip base 64 encoded body>



The second:



 From - Sun Nov 25 12:24:34 2001
Delivery-date: Sun, 25 Nov 2001 15:16:02 -0500
Received: from [209.239.47.119] (helo=host9.apollohosting.com)
by rcommail2 with esmtp (Exim 3.16 #2)
id 1685h4-0000v7-00
for jsage at finchhaven.com; Sun, 25 Nov 2001 15:16:02 -0500
Received: from aol.com (sttldslgw19poolA163.sttl.uswest.net [63.231.20.163])
by host9.apollohosting.com (8.10.2/8.10.2) with SMTP id fAPKFt602941
for <jsage at blahblahblah.com>; Sun, 25 Nov 2001 15:15:56 -0500
Date: Sun, 25 Nov 2001 15:15:56 -0500
Message-Id: <200111252015.fAPKFt602941 at host9.apollohosting.com>
From: "Jonathan Dunn" <_jondunn at jonathanClarkDunn.com>
To: jsage at blahblahblah.com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="Sorry_about_yesterday.MP3.pif"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

<snip base 64 encoded body>





More information about the list mailing list