Threat Description

BadSector

Details

Category: Malware
Platform: W32
Aliases: Bad Sector, BadSector, IE080898, Snake

Summary


This trojan was sent to several newsgroups in August 1998. It was also mailed directly to thousands of people with a spam e-mail program. The e-mail message presented the trojan as a file named IE080898.EXE and claimed it was a security update for Internet Explorer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The faked spam message looked like it was coming from Microsoft:

      From: IEsupport@microsoft.com (Microsoft Internet Explorer Support)      Date: 08/07/98 03:40:04 PM      Subject:  FREE! Your upgrade for Microsoft Internet Explorer        As user of Microsoft Internet Explorer Microsoft Corporation      provide you an upgrade for your Microsoft Internet Explorer.      Please run Ie080898.exe to install the upgrade. This file will      fix some serious bugs in your Internet Explorer.        For more information please visit Microsoft Internet Explorer      Home Page at: http://www.microsoft.com/ie/        Attachment: Ie080898.exe  

In fact, the original e-mail message was sent from Bulgaria.

When executed, the trojan installs itself as part of Windows system and randomly sends e-mail messages to the internet. These messages are sent to a list of addresses - obviously to irritate these people.

The trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses network and sends random messages to the Internet.

When run for the first time the trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section:

         SOFTWARE\Microsoft\Windows\CurrentVersion\Run shell32.exe  

The trojan then terminates with no side effects. On next rebooting the trojan stays in the Windows memory as hidden task, sleeps and periodically inits Windows Socket APIs and opens stream socket with TCP/IP protocol for sending messages.

The messages have random selected addresses, subject and data. The "Mail From" address is randomly constructed from following parts:

   1 bulgaria badsector hacker omega vali-pedali eunet digsys   2 main vt linux aix unix mail www host abc server veliko-tar   3 prodigy compuserve kurva putka gerry tetra europe amstel usa   4 com edu org mil gov net bg tr gr uk ca ro jp  

For example, bulgaria@main.prodigy.com

The recipient address is randomly selected from these:

   gerry@tetra.bg   administrator@tetra.bg   tetranet@tetra.bg   root@vt.bitex.com   peterc@vt.bitex.com   ivanp@vt.bitex.com   root@tarnovo.eunet.bg   master@tarnovo.eunet.bg   webmaster@tarnovo.eunet.bg   root@server.vt.bia-bg.com   webmaster@mail.vt.bia-bg.com   webmaster@tetra.bg  

The subject is random selected from variants:

   Ha-ha-ha   Bad Sector wi razkaza igrata :))   Greetings from Bad Sector ! Po-zdrawi   Vleze li wi sega?   Re   Hi, kak e?   Ko staa, ima problemi li   Bad Sector   Kogato grum udari...  

The sentences of message body are randomly constructed from large set of verbs, words and sub-sentences. Some of these are vulgar, and they are mostly written in Bulgarian.





Technical Details:Eugene Kaspersky


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More