Virus Profile: W32/BadTrans@MM

Virus Characteristics

UPDATE November 25, 2001 20:30 PST
AVERT has raised the Risk Assessment on the Badtrans.b variant to Medium On Watch for corporate users and High for home users. We have received many reports that the virus is being seen and stopped at corporate gateways and mailservers. However, we continue to get reports from the home user segment that they have become infected. This is due to the fact that home users tend to update their DAT files less frequently.

As noted below, the virus is detected as W32/Badtrans@MM as the detection technology, which identified the virus first, uses this naming convention for both variants of the Badtrans virus.

This new variant of Badtrans drops a password stealing trojan which is detected as PWS-Hooker with the 4173 DATs, or greater, and a variant of PWS-AV with the 4172 DATs.

UPDATE November 24, 2001 15:30 PST
A new variant of Badtrans has been discovered. This is considered to be variant .b by some companies. VirusScan and other McAfee products with DAT files 4168 are protected from this variant without any updating from that DAT. The variant will be detected as W32/Badtrans@MM when scanning compressed files.

This variant is a Medium risk as is the first variant. Your risk of infection is higher if you do not have the 4168 DAT files or above. See the .b section below for more details on this variant.

Badtrans.a details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release).

When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL detected as PWS-AV (was DUNpws.av) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe

Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE

Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):

Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif

The message body may contain the text:
Take a look to the attachment.