[Snort-users] FYI: W32.Badtrans.B at ...4138...

John Sage jsage at ...2022...
Sun Nov 25 13:38:02 EST 2001


At the risk of restating the obvious, for those on Window$ boxes, watch
out for funny emails.

I've received two in an hour, now, 11/25/01 -- characteristics:

File size about 39k;
subject line: "RE: ";

Content-Type: audio/x-wav;
name="news_doc . DOC . scr"; -- or some variation thereon...

(I had to mung the name to get this past the snort list's virus filters: 
there's no spaces between the dots...)

Content-Transfer-Encoding: base64;
Content-ID: <EA4DMGBP9p>

A search at Symantec yeilded:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@...3071...

w32.badtrans.b at ...3071..., discovered 11/24/01

"W32.Badtrans.B at ...4138... is a MAPI worm that emails itself out as one of
several different file names. This worm also drops a backdoor trojan
that logs keystrokes."


A possible variant of W32.Badtrans.13312 at ...4138..., discovered 04/11/01


Forewarned is forearmed etc etc etc...


- John



The first:



  From - Sun Nov 25 09:24:32 2001
Delivery-date: Sun, 25 Nov 2001 12:09:31 -0500
Received: from [24.51.160.84] (helo=aol.com)
by rcommail2 with smtp (Exim 3.16 #2)
id 1682mX-0005c1-00
for jsage at ...4139...; Sun, 25 Nov 2001 12:09:29 -0500
From: " Administrator" <administrator at ...4140...>
To: jsage at ...4139...
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
Message-Id: <E1682mX-0005c1-00 at ...4141...>
Date: Sun, 25 Nov 2001 12:09:29 -0500

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="news_doc . DOC . scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

<snip base 64 encoded body>

(Name munged with spaces between dots..)


The second:



  From - Sun Nov 25 12:24:34 2001
Delivery-date: Sun, 25 Nov 2001 15:16:02 -0500
Received: from [209.239.47.119] (helo=host9.apollohosting.com)
by rcommail2 with esmtp (Exim 3.16 #2)
id 1685h4-0000v7-00
for jsage at ...2022...; Sun, 25 Nov 2001 15:16:02 -0500
Received: from aol.com (sttldslgw19poolA163.sttl.uswest.net [63.231.20.163])
by host9.apollohosting.com (8.10.2/8.10.2) with SMTP id fAPKFt602941
for <jsage at ...4139...>; Sun, 25 Nov 2001 15:15:56 -0500
Date: Sun, 25 Nov 2001 15:15:56 -0500
Message-Id: <200111252015.fAPKFt602941 at ...4142...>
From: "Jonathan Dunn" <_jondunn at ...4143...>
To: jsage at ...4139...
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="Sorry_about_yesterday . MP3 . pif"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

(Name munged with spaces between dots..)


<snip base 64 encoded body>







More information about the Snort-users mailing list