BadTrans.B

Detection and removal

A variant of the BadTrans virus emerged on November 24, 2001. Dubbed W32.Badtrans.b by antivirus vendors, this new variant selects various options from three different lists to compose its attachment. The filename is selected from one of the following names: FUN, HUMOR, DOCS, S3MSONG, Sorry_about_yesterday, ME_NUDE, CARD, SETUP, SEARCHURL, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, New_Napster_Site, README, IMAGES, PICS.

BadTrans.b uses a double extension ruse to take advantage of a vulnerability in the default settings of Windows. Unless the default settings are modified, users will not see the actual file extension, but rather the fake extension presented by the virus. This erroneous extension will be either .DOC, .MP3, or .ZIP. The Attachments Center provides instructions for changing default settings in Microsoft® Windows so that file extension viewing is properly enabled. The actual extension of the BadTrans attachment will be either .pif or .scr.

According to antivirus vendor Sophos, if the attached file is run, it copies itself into the Windows system directory with the filename KERNEL32.EXE and changes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the worm runs the next time Windows is started. As part of its infection routing, BadTrans.B also drops a password stealing Trojan, Troj.PWS.A - which logs keystrokes in an attempt to capture sensitive data such as user login information.

BadTrans.b will automatically execute the attachment in Microsoft Outlook and Outlook Express, if using Internet Explorer version 5.01 or 5.5 (click Help | About in Internet Explorer to discover your version). In the case of Outlook Express, it infects simply by the email appearing in the Preview Pane. While this was resolved some time ago in Microsoft Security Bulletin (MS01-020), many users (if not most) have not installed the patch. If you aren't sure how to interpret your version number to see whether you need the patch, Microsoft has a helpful page to help you determine the exact version. BadTrans.b is not the first virus to exploit this vulnerability; the Nimda worm used the same tactic.

BadTrans.b changes the From address in the header, prepending an underscore (_) to the address. Thus, replying to the email will be ineffective unless the _ is removed.

Removal Instructions
If possible, use updated antivirus software to detect and remove the virus. To remove the virus manually requires editing the system registry and should not be attempted unless familiar with such edits. Antivirus vendor F-Secure provides a comprehensive center for BadTrans removal, including free utilities to disable the virus and free trial software updated to protect against it. Just visit http://www.f-secure.com/v-descs/bt_b_dis.shtml.

To remove manually:

Browse to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce registry key and remove the value
"KERNEL32.EXE"

Reboot the system in DOS mode, change to the Windows\System directory, and delete the following files:

• kdll.dll
• KERNEL32.EXE

If you have difficulty with either of these steps, it is recommended you visit http://www.f-secure.com/v-descs/bt_b_dis.shtml for tools and software to remove the worm automatically.