DejaNET Communications - Welcome To Our New Site!

Home  Stock Quotes  Auction  Classifieds  Games  Special Offers   Web Pages  E-Cards  ISP  Alerts  Chat  News

November 26, 2001 - MUSKEGON, MI - DejaNET Communications today has received yet another email containing the W32.Badtrans.b worm.  The first was received two days ago. This virus/worm was originally discovered on November 24, 2001.

W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also creates a DLL in \Windows\System directory as Kdll.dll. It uses functions from this DLL to log keystrokes.  This should not be confused with the file SKDLL.DLL which is an innodent file included in some Windows installations.

This is a variant of the known Badtrans.A worm, updated with some new tricks.

W32.Badtrans.B@mm is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via email in Microsoft Outlook and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in length. The attachment name is created from three sections. 

This new variant also uses the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch. This worm, similar to the recent W32/Aliz and W32/Nimda worms, uses a special trick to execute even if a mail is just opened or previewed in Outlook/Outlook Express.

If the attachment is opened, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the Trojan upon system startup. 


Once running, the Trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the Trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

The "From:" address will often have been changed by the worm to have underscore as first letter. Thus, attempting to reply to such an address will normally bounce unless the underscore is removed.


The latest Norton definitions dated 11/24/2001 will cover this virus/worm.

More detailed info is available from Symantec's web site:


Worm Hitting Home For The Holidays - C|Net

DejaNET World News Service

Last Modified: 11/26/2001
Copyright 2001 DejaNET Communications