W32/Badtrans@mm variants 11/26/01 9:20am
Per NAI these worms attempt to send themselves using Microsoft Outlook by replying to unread email messages. They also drop a trojan file.
The worms are detected by the 4167 (or 2167) dats as Badtrans@MM. The trojan is detected as Backdoor-NK.svr with the 4134 dats.
The first variant has one of the following attachment names:
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
With the second variant the attachment name is created from three sections. The first part is chosen from the possibilities:
fun
Humor
docs
info
Sorry_about_yesterday
Me_nude
Card
SETUP
stuff
YOU_are_FAT!
HAMSTER
news_doc
New_Napster_Site
README
images
Pics
The second part is chosen from the possibilities:
.DOC.
.MP3.
.ZIP.
and the last part from the possibilities:
pif
scr
Do Not Open The Attachment!
