Resolve for W32/Badtrans crack/serial/keygen

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms.

They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Download Resolve for W32/Badtrans Crack

Software company
Rank 3.0
520 3.0
Crack size ~ 500KB
Downloads total 5112
Systems Win All

W32/Badtrans-A is a worm which uses MAPI to spread. The worm arrives in an email message with the text "Take a look to the attachment".

The attachment filename is randomly chosen from the following list:

fun.pif

Humor.TXT.pif

docs.scr

s3msong.MP3.pif

Sorry_about_yesterday.DOC.pif

Me_nude.AVI.pif

Card.pif

SETUP.pif

searchURL.scr

YOU_are_FAT!.TXT.pif

hamster.ZIP.scr

news_doc.scr

New_Napster_Site.DOC.SCR

README.TXT.pif

images.pif

Pics.ZIP.scr

If the attached file is run, it displays the message "File data corrupt probably due to bad data transmission or bad disk access.", copies itself into the Windows directory with the filename INETD.EXE and changes win.ini so that the file is run at Windows startup.

When a new message arrives the worm sends a reply with an infected attachment.

The worm also drops a file kern32.exe, which is a password-stealing Trojan, Troj/Keylog-C, into the Windows system directory and changes the registry key

HKLMSOFTWAREMicrosoftWindows

CurrentVersionRunOnce so that the Trojan runs at Windows startup.

W32/Badtrans-B is an email-aware worm which uses MAPI to spread. The worm forwards itself to addresses found on the infected computer as an email message with no message text.

The worm finds addresses to send itself to by searching the address book. Additionally it searches the internet cache and "My Documents" folders for web pages, looking for further email addresses to which to send itself.

If the worm is replying to mail found on the infected machine, it will use the infected user's address in the From: field of the email, otherwise it will use one of the following addresses in the From: field:

" Anna"

"JUDY"

"Rita Tulliani"

"Tina"

"Kelly Andersen"

" Andy"

"Linda"

"Mon S"

"Joanna"

"JESSICA BENAVIDES"

" Administrator"

" Admin"

"Support"

"Monika Prado"

"Mary L. Adams"

The email uses a known exploit in certain versions of Outlook Express 5 in order to launch the attached file automatically. Microsoft has released a patch which reportedly addresses this vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.

(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

The worm generates a subject line by reading email on the infected machine and "replying" to it. For instance,

Re:

For email addresses found via web pages in the internet cache or the "My Documents" folder, the subject line is simply "Re:" with no further text.

The worm attempts to create a name for the attached infected file by randomly generating it from three separate parts. The first part is taken from the list:

CARD

DOCS

FUN

HAMSTER

NEWS_DOC

HUMOR

IMAGES

info

ME_NUDE

New_Napster_Site

PICS

README

S3MSONG

SEARCHURL

SETUP

Sorry_about_yesterday

stuff

YOU_ARE_FAT!

The second from the list:

.DOC.

.MP3.

.ZIP.

(a bug inside the worm means that it never selects the ".ZIP." option)

and the last from:

pif

scr

For this reason the attached file can be called a large number of different names, including:

card.DOC.pif

docs.DOC.pif

fun.MP3.pif

HAMSTER.DOC.PIF

Humor.MP3.scr

IMAGES.DOC.pif

Me_nude.MP3.scr

New_Napster_Site.MP3.pif

Pics.DOC.scr

README.MP3.scr

S3MSONG.DOC.scr

SEARCHURL.MP3.pif

SETUP.DOC.scr

Sorry_about_yesterday.MP3.pif

Sorry_about_yesterday.MP3.scr

stuff.MP3.pif

YOU_ARE_FAT!.DOC.pif

YOU_are_FAT!.MP3.scr

If the attached file is run it may copy itself to the Windows or Windows system directory with the filename kernel32.exe and change the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce so that the worm runs the next time Windows is started. Note that the registry key will refer to the original attachment if the worm has not created a copy in the Windows or Windows system directories.

The worm also drops a file named kdll.dll, which is the Troj/PWS-AV password-stealing Trojan horse.

W32/Badtrans-B uses the Trojan Troj/PWS-AV to log a user's keystrokes in a file named cp_25389.nls in the Windows system directory. The log of keystrokes may be encrypted.

W32/Badtrans-B will attempt to send the log to one of the following email addresses:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

W32/Badtrans-A and W32/Badtrans-B can be removed from Windows computers automatically with the following Resolve tools:

BADTRGUI is a disinfector for standalone Windows computers. To use it you have to do the following:

■ Open BADTRGUI.com file from your desktop after downloading it.

■ Click on the Start Scan Button.

■ Wait for the process to complete.

BADTRSFX.EXE is a self-extracting archive containing BADTRCLI, a Resolve command line disinfector for use on Windows networks.

After removing the worm you should install the Microsoft patch MS01-027 or, on single computers, update with all relevant security patches from Windows update.

Comments

sidney, 01 September 2018

salamat sa inyo para sa keygen

jonathan, 29 April 2018

Merci beaucoup!

Elena, 04 May 2017

salamat sa inyo para sa serial Resolve for W32/Badtrans

Abdala, 15 April 2017

спасибі за кейген для Resolve for W32/Badtrans

Leave a comment

Your email will not be published. * Required