The Bad Trans virus

December 2016

Introduction to the BadTrans virus

The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread:

  • Microsoft Internet Explorer security flaws

The BadTrans.B virus particularly affects those who use Microsoft Outlook in the operating systems Windows 95, 98, Millennium, NT4, and 2000, as the virus is activated in Outlook simply by viewing the message (as opposed to clicking on the attachment).
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

What the virus does

The BadTrans virus scans the address list in the infected user's address book, as well as web pages contained in the browser cache and the My Documents folder.

Then the BadTrans virus sends each of the addresses an e-mail:

  • with the body either empty, or containing the sentenceTake a look to the attachment.
  • with the subject Re: <Subject of e-mail found>
  • with the attachment having a three-part name
    • First part: One of the following messages:
      • CARD
      • DOCS
      • FUN
      • HAMSTER NEWS_DOC
      • HUMOR
      • IMAGES
      • ME_NUDE
      • New_Napster_Site
      • News_doc
      • PICS
      • README
      • S3MSONG
      • SEARCHURL
      • SETUP
      • Sorry_about_yesterday
      • YOU_ARE_FAT!
    • Second part: One of the following extensions:
      • .DOC
      • .MP3
      • .ZIP
    • Third and final part: One of the following extensions:
      • .pif
      • .scr
Therefore, the message's attachment may look like:
  • Me_Nude.MP3.scr
  • News_doc.DOC.scr
  • HAMSTER.DOC.pif
  • PICS.doc.scr
  • HUMOR.MP3.scr
  • README.MP3.scr
  • FUN.MP3.pif
  • YOU_are_FAT!.MP3.scr
  • and so on.

Symptoms of infection

Workstations infected by the BadTrans worm will have the following file on their hard drive:

  • kdll.dll. This is a Trojan horse which records all your keystrokes, in order to recover your passwords.

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

The best method for eradicating the BadTrans worm involves first disconnecting the infected machine from the network, then running an up-to-date antivirus software.

What's more, the virus spreads by exploiting a security hole in Microsoft Outlook, which means that you may be contaminated by the virus without clicking on the attachment. To fix the security hole, you must download the patch for Microsoft Outlook. Please check your e-mail client, and download the patch if needed:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

More information about the virus


Related :


Le ver BadTrans
Le ver BadTrans
Il virus BadTrans
Il virus BadTrans
O vírus BadTrans
O vírus BadTrans
This document entitled « The Bad Trans virus » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.