Don't let BadTrans.B worm its way into your machines

The BadTrans.B worm has been racing across the Internet this week. Although it has been knocked out by most antivirus systems, the machines it does infect can easily allow hackers to steal sensitive files and information.

Just as people were beginning to feel a bit better about the state of the world and were looking forward to the holiday season, an Internet worm called BadTrans.B has been released that may chill some of the holiday warmth. This worm spreads via e-mail and takes advantage of the decreased wariness of the many people who expect holiday greetings to flood their inboxes.

BadTrans.B targets Microsoft Outlook mailboxes and can steal sensitive files and information from the users of infected machines. Although this worm is being effectively filtered by most antivirus systems, it poses a significant security threat to those machines that are infected.

How it works
The BadTrans.B worm variant first appeared on Nov. 23, and according to reports, it began in Great Britain. reports that by Nov. 26, the worm had already spread to 52 countries. You can track the progress of this and other Internet threats through BadTrans.B was up to number two (behind SirCam) on the incident list by 12:00 P.M. EST on Nov. 27.

This worm spreads by replying to messages contained in an infected system’s Outlook mailbox. The timing of its release suggests that it may be attempting to capture sensitive data that’s exposed during online shopping sessions.

BadTrans.B propagates through e-mail attachments, which can begin with any of the following filenames:
  • Humor
  • Docs
  • S3msong
  • Me_nude
  • Card
  • Searchurl
  • You_are_fat!
  • News_doc
  • Images

As it mutates, there will probably be other names as well.

The attachments use a dual extension as part of the filename. That is, an attachment carrying the worm might be named, where humor could be replaced by any of the possible names. There are also variants for the extensions, making the number of possible file designations initially about 60. This is just an estimate; some combinations may not be used, a few others may not have been discovered yet, and new variants may be released as the original worm spreads. The first extension could be .doc, .mp3, or .zip. The second extension could be either .pif or .scr.

Besides using the compromised computer to mail itself to other targets, the worm installs both a backdoor and keystroke logger. As a result, the worm has the potential of being particularly dangerous because it might capture passwords and username combinations, as well as credit card information during the holidays when people are using their computers to place gift orders. Since a lot of people use office computers to do their shopping, and the keystroke captures all input, this threat could also compromise sensitive business information, and the backdoor could lead to the theft of business documents.

According to Network Associates, the worm spreads by using MAPI messaging to e-mail 13,312-byte attachments. The addresses for outgoing infections are replies to unread Outlook messages. There are reports that BadTrans messages can contain several text versions, including a brief message telling the recipient to look at the attachment.

Network Associates reports that when the virus is run, it displays an Install Error message box that says, “File data corrupt: probably due to a bad transmission or bad disk access.”

This worm installs a backdoor (Kernel32.exe) keyed to a new registry entry, which installs the backdoor at bootup and e-mails the IP address of infected machines. This allows someone initiating the spread of BadTrans to download the contents of the Hksdll.dll keystroke logger file, which the worm also installs.

Avoiding the worm
Although this worm is spreading rapidly, it isn’t rated by Symantec as particularly dangerous. Symantec provides the following recommendation for administrators to quickly prevent infection: “Block any e-mail with attachments ending in .pif or .scr.” This is generally a good practice anyway, but there are also specific comments related to this worm on the Symantec site.

To check for infection, Symantec security specialists say that you can look for a new copy of Kernel32.exe in the \Windows\system directory and the following registry value:

Other security specialists report that infected systems will also contain the Inetd.exe file, which is the actual worm.

Final word
BadTrans.B is a slight variant of what Network Associates calls W32/BadTrans, a worm first described in the wild on April 11, 2001. Regularly updating virus descriptions in most antivirus programs should prevent infections by this and other variants of BadTrans.

This dangerous worm is an excellent example of how having a good antivirus system in place can save a lot of time and money. Those who have antivirus software and a good policy for maintaining it have largely been immune to this virus. Those who don’t have such software or lack a good implementation policy are suffering some major headaches because of this little demon.

Have you been hit by BadTrans.B?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the BadTrans.B discussion.


Editor's Picks

Free Newsletters, In your Inbox