Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center

Related Links

F-Secure description
WildList report
ThreatList

BadTrans
Aliases: IWorm_Badtrans, I-Worm.Badtrans

According to reports from F-Secure, BadTrans exhibits the following characteristics:

Type: Internet Worm
Systems Affected: Windows 32-bit systems running Internet Explorer 4.0, 4.01, 5.0, and 5.01
Payload: Spams alt.comp.virus newsgroup
ITW: Yes
Origin: Poland
Description: BadTrans is a mass-mailing email worm and password stealing Trojan discovered in-the-wild on April 12 2001.

The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in a compressed form, and is about 13Kb long. When decompressed the worm's file length increases to about 40Kb.

The worm has a multi-component structure. It consists of two different components that are dropped on a hard disk as three different files and are run as stand-alone programs (email Worm and Trojan). The worm routine is the main component, it keeps the trojan program body in its code and installs it into a system while infecting a new machine.

The worm component operates similar to the ExploreZip worm: by using Windows MAPI functions it gets access to the Inbox and "answers" all unread messages. This routine has a bug and may cause a transport overload (see below).

The trojan component is a variant of Trojan.PSW.Hooker. It sends information from infected computers to the email address ld8dl1@mailandnews.com

When an infected file is run the worm code gets control. It first installs its components to the system. The worm copies itself to the Windows directory as INETD.EXE and drops the trojan component to the Windows directory as HKK32.EXE. The trojan component is then executed and it moves itself to Windows system directory using the name KERN32.EXE and drops an additional library (key logger) named HKSDLL.DLL.

The worm then registers itself (the INETD.EXE file) in auto-run sections in the system. Under Win9x it writes "run=" command to [windows] section to WIN.INI file, for example: 

 [windows]
 load=
 run=C:\WINDOWS\INETD.EXE

Under WinNT/2000 the following registry key is created: 

 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   RUN = C:\WINDOWS\INETD.EXE

The trojan registers itself in the Registry in RunOnce key: 

 HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  kernel32 = kern32.exe

Because this is "run once" key, the trojan on each start rewrites it, and keeps Windows loading trojan file on each restart.

To hide its activity when installation into a new machine is complete the worm displays the fake message and exits: 

 Install error
  File data corrupt:
  probably due to bad data transmission or bad disk access.

According to F-Secure, the worm does not send any messages out of infected machine at first start, it does that on next Windows restarts instead. The spreading routine is activated on next Windows restart when the worm copy is activated from INETD.EXE file (this file is run automatically because it is referred from "run" key in WIN.INI file or system registry).

The worm registers itself as hidden (service) process, and sleeps for about 5 minutes before activating its spreading routine.

While spreading the worm gets access to Windows MAPI functions, opens and reads all unread messages, "answers" on them with infected messages. The worm does not terminate, and is active till Windows restart, and sends infected message each time a new message arrives.

The infected message has text and attached file. Attached file name is randomly selected from the following variants: 

 Pics.ZIP.scr
 images.pif
 README.TXT.pif
 New_Napster_Site.DOC.scr
 news_doc.scr
 hamster.ZIP.scr
 YOU_are_FAT!.TXT.pif
 searchURL.scr
 SETUP.pif
 Card.pif
 Me_nude.AVI.pif
 Sorry_about_yesterday.DOC.pif
 s3msong.MP3.pif
 docs.scr
 Humor.TXT.pif
 fun.pif

The Subject field in worm messages is the same as in original message with prepended "Re:" prefix.

The message body is a "reply" to of the original message.

The worm uses a trick to avoid answering the same email again and to avoid answering its own messages received from other infected machines. To do that the worm adds two spaces to the end of Subject line, and does not reply to such messages. However, this protection doesn't work for messages that are received from other infected computers as most email servers simply cut all spaces off at the end of a Subject line (in compliance with the RFC-822 email messages standard). As a result if an infected message comes to already infected machine it is immediately answered by worm and sent back. So the worm initiates the "looped" traffic with an endless number of infected messages. This and other discrepancies in the worm code can cause an endless loop of infected messages, creating an enormous burden on mail servers.

About.com Special Features
Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >