Introduction to the BadTrans virus

The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread:

• Microsoft Internet Explorer security flaws

The BadTrans.B virus particularly affects those who use Microsoft Outlook in the operating systems Windows 95, 98, Millennium, NT4, and 2000, as the virus is activated in Outlook simply by viewing the message (as opposed to clicking on the attachment). http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

What the virus does

The BadTrans virus scans the address list in the infected user's address book, as well as web pages contained in the browser cache and the My Documents folder.

Then the BadTrans virus sends each of the addresses an e-mail:

• with the body either empty, or containing the sentenceTake a look to the attachment.
• with the subject Re: <Subject of e-mail found>
• with the attachment having a three-part name
  • First part: One of the following messages:
    • CARD
    • DOCS
    • FUN
    • HAMSTER NEWS_DOC
    • HUMOR
    • IMAGES
    • ME_NUDE
    • New_Napster_Site
    • News_doc
    • PICS
    • README
    • S3MSONG
    • SEARCHURL
    • SETUP
    • Sorry_about_yesterday
    • YOU_ARE_FAT!
  • Second part: One of the following extensions:
    • .DOC
    • .MP3
    • .ZIP
  • Third and final part: One of the following extensions:
    • .pif
    • .scr

• Me_Nude.MP3.scr
• News_doc.DOC.scr
• HAMSTER.DOC.pif
• PICS.doc.scr
• HUMOR.MP3.scr
• README.MP3.scr
• FUN.MP3.pif
• YOU_are_FAT!.MP3.scr
• and so on.

Symptoms of infection

Workstations infected by the BadTrans worm will have the following file on their hard drive:

• kdll.dll. This is a Trojan horse which records all your keystrokes, in order to recover your passwords.

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

The best method for eradicating the BadTrans worm involves first disconnecting the infected machine from the network, then running an up-to-date antivirus software.

What's more, the virus spreads by exploiting a security hole in Microsoft Outlook, which means that you may be contaminated by the virus without clicking on the attachment. To fix the security hole, you must download the patch for Microsoft Outlook. Please check your e-mail client, and download the patch if needed:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

More information about the virus

• http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B
• http://www.01net.com/rdn?oid=168725=3034
• http://vil.nai.com/vil/virusSummary.asp?virus_k=99069
• http://www.sophos.fr/virusinfo/analyses/w32badtransb.html
• http://www.F-Secure.com/v-descs/badtrans.shtml
• http://www.computing.vnunet.com/News/1127123