Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software
Badtrans
AutoReply with a twist
 
 Join the Discussion
"My computer caught the same virus, my anti-virus software did zilch to get rid of it, and I've been searching all day long to find out what exactly this virus is and how to get rid of it. I finally discovered this site & this thread. Now I have renewed hope!
• Help with BadTrans
 
 Related Resources
• Glossary of Terms
• Infected Attachments
• BadTrans Description
 
 Elsewhere on the Web
• F-Secure Description  
• MessageLabs Threatlist
 

Microsoft recently came under fire for providing hotfixes infected with the FunLove virus to their premium support customers. What could be worse? Imagine a virus that lies in wait for incoming emails, then replies to each one, paraphrasing the original text and adding a malicious attachment before sending it out in your name. BadTrans is just that type of virus and according to MessageLabs, should be considered a high risk.

As Karen Thompson discovered, viruses like BadTrans can be a real embarrassment - the virus emailed itself to subscribers of her newsletter. Karen noted, "That I was completely unable to control the spread of the virus as long as anyone sent me a single email was the most frustrating aspect of the virus." Like many, Karen downloaded a popular antivirus product from the web, assuming it would take care of the threat. Indeed, InoculateIT did report the virus had been disinfected but though Karen seemed to be doing everything right, the virus would not go away. Each time Karen rebooted, she became reinfected. As it turns out, only one of the three infected files had been cleaned.

So where did Karen go wrong? Essentially, antivirus software can only disinfect files for which it has an exact signature. The copy of InoculateIT had not been updated and thus was not able to accurately identify the offending files. Even though it said the virus was removed, it was not. After following manual removal instructions, Karen was able to defeat the virus.

BadTrans installs itself in such a way to virtually guarantee it's activation on a reboot. For example, on Windows 9x, BadTrans modifies both the Registry and the WIN.INI file to ensure its continued infection. Thus, manual removal on a Windows 9x system entails:

Editing the WIN.INI
To access the WIN.INI file, click Start | Run and type WIN.INI. The file should open in Notepad. Search for the following:
[windows]
load=
run=C:\WINDOWS\INETD.EXE
and delete the words C:\WINDOWS\INETD.EXE

Editing the Registry
The trojan registers itself in the Registry in the RunOnce key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe

To access the registry, click Start | Run and type REGEDIT. Locate the RunOnce key and delete the value, kernel32 = kern32.exe.

Note: Modifying the registry should not be attempted unless you are familiar with the underlying principles of the registry.

Deleting the files
Next, reboot the system in DOS mode and delete the following files:

C:\windows\inetd.exe
C:\windows\system\hksdll.dll
C:\windows\system\kern32.exe

Prevention is the best medicine
Unfortunately, stories like Karen's are all too common. Email is a veritable conveyor belt for viruses, facilitating their rapid distribution. Before ending up in Karen's situation, consider the following preventative measures:

  • Don't open attachments received unexpectedly, regardless of their source. Email-borne viruses often appear to be from someone you know.
  • Keep your antivirus software updated.
  • Use a content filtering product to quarantine suspicious files before they reach (or leave) your inbox.

A (painful) lesson learned
Karen's experience taught her to be more wary of email attachments. "Had I thought more seriously about the partial message and the peculiar phrase added, I might have not opened it at all."

Explore Antivirus Software

About.com Special Features

Browse All About.com

Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.