The Bad Trans virus

Introduction to the BadTrans virus

The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread:

  • Microsoft Internet Explorer security flaws

The BadTrans.B virus particularly affects those who use Microsoft Outlook in the operating systems Windows 95, 98, Millennium, NT4, and 2000, as the virus is activated in Outlook simply by viewing the message (as opposed to clicking on the attachment).

What the virus does

The BadTrans virus scans the address list in the infected user's address book, as well as web pages contained in the browser cache and the My Documents folder.

Then the BadTrans virus sends each of the addresses an e-mail:

  • with the body either empty, or containing the sentenceTake a look to the attachment.
  • with the subject Re: <Subject of e-mail found>
  • with the attachment having a three-part name
    • First part: One of the following messages:
      • CARD
      • DOCS
      • FUN
      • HUMOR
      • IMAGES
      • ME_NUDE
      • New_Napster_Site
      • News_doc
      • PICS
      • README
      • S3MSONG
      • SETUP
      • Sorry_about_yesterday
      • YOU_ARE_FAT!
    • Second part: One of the following extensions:
      • .DOC
      • .MP3
      • .ZIP
    • Third and final part: One of the following extensions:
      • .pif
      • .scr
Therefore, the message's attachment may look like:
  • Me_Nude.MP3.scr
  • News_doc.DOC.scr
  • PICS.doc.scr
  • HUMOR.MP3.scr
  • README.MP3.scr
  • FUN.MP3.pif
  • YOU_are_FAT!.MP3.scr
  • and so on.

Symptoms of infection

Workstations infected by the BadTrans worm will have the following file on their hard drive:

  • kdll.dll. This is a Trojan horse which records all your keystrokes, in order to recover your passwords.

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

The best method for eradicating the BadTrans worm involves first disconnecting the infected machine from the network, then running an up-to-date antivirus software.

What's more, the virus spreads by exploiting a security hole in Microsoft Outlook, which means that you may be contaminated by the virus without clicking on the attachment. To fix the security hole, you must download the patch for Microsoft Outlook. Please check your e-mail client, and download the patch if needed:

More information about the virus

Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM reaches more than 50 million unique visitors per month and is available in 11 languages.
This document, titled « The Bad Trans virus », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!