About the Book
This book consists of articles from Wikia or other free sources online. Pages: 52. Chapters: Win32 virus, Win32 worm, Badtrans, Beagle, Bolzano, Bridex, Bymer, CIH, Collo, Dumaru, Elkern, Fizzer, Frethem, Funlove, Gibe, Hazafi, Hybris, Lara, Magistr, Maldal, MTX, Mylife, Parrot, Remex, Roron, Smash, Stuxnet, Welchia, Winevar, YahaSux, Bolzano, CIH, Elkern, Funlove, Magistr, Maldal, MTX, Remex, Smash, Badtrans, Beagle, Bridex, Bymer, Collo, Dumaru, Fizzer, Frethem, Gibe, Hazafi, Hybris, Lara, Mylife, Parrot, Roron, Stuxnet, Welchia, Winevar, YahaSux. Excerpt: Badtrans is an email worm from 2001. Similar to the Nimda worm, Badtrans uses an exploit in Microsoft's Outlook email program, that gives it the ability to launch itself from the preview pane. Badtrans arrives in an email with many possible spoofed sender lines. The sender line may be one collected from SMTP information on the computer it came from or from 15 possible sender lines contained inside the worm. It can launch itself from the preview pane in Microsoft Outlook, but must be downloaded and executed for other email clients. The attachment is 29,020 bytes long. When Badtrans is executed, it copies itself to the Windows system folder as Kernel32.exe and (in Windows 95, 98 and ME) registers itself as a sevice process. It also drops a key log file Cp_25389.nls and the key logger, Kdll.dll in the system folder. The worm displays a dialog box titled, "WinZip Self-eXtractor," which reads, "File data corrupt: probably due to a bad data transmission or bad diskaccess." The worm checks for an open window with the title beginning with the following sets of letters: LOG, PAS, REM, CON, TER, NET (obviously to check for the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork, and it also looks for Russian versions of these words). If these words are found, keylogging is enabled for 60 seconds. After Badtrans pilfers keystrokes the data is sent back to one of 22 email addresses (this is according to the...
