A new variant of the W32/Badtrans@mm, called W32/Badtrans.B@mm was found in the wild on the 24th of November. Like its predecessor it has both the characteristics of a worm and a trojan.

W32/Badtrans.B@mm spreads by e-mail via infected attachments. This new variant spreads faster than its older sibling because it uses two methods of infecting a computer. The worm can be started by clicking on the attachment (and thus running it) in any e-mail client but it also uses a security flaw in Microsoft's Outlook and Outlook Express. The attachment can thus be started simply by viewing or previewing the message in Outlook and Outlook Express. A patch from Microsoft to fix this vulnerability is available on Microsoft's site:

An infected e-mail has the following characteristics:

The "From" line has either the original sender of the message, or a fake address chosen from a list by random. The list of fake addresses that the worm uses contains these names and addresses:

Anna    [aizzo@home.com]
JUDY    [JUJUB271@AOL.COM]
Rita Tulliani    [powerpuff@videotron.ca]
Tina    [tina0828@yahoo.com]
Kelly Andersen    [Gravity49@aol.com]
Andy    [andy@hweb-media.com]
Linda    [lgonzal@hotmail.com]
Mon S    [spiderroll@hotmail.com]
Joanna    [joanna@mail.utexas.edu]
JESSICA BENAVIDES    [jessica@aol.com]
Administrator    [administrator@border.net]
Admin    [admin@gte.net]
Support    [support@cyberramp.net]
Monika Prado    [monika@telia.com]
Mary L. Adams    [mary@c-com.net]
Anna    [lindaizzo@home.com]
JUDY    [JUJUB@AOL.COM]
Tina    [tina08@yahoo.com]

The "Subject" line is either empty or contains only "Re:" and can even contain the "Re:" followed by a subject from an actual Inbox message.

The attachments name is chosen randomly from a list of possible filenames. These names are:

Card/CARD
fun/FUN
HAMSTER
Humor/HUMOR
images/IMAGES
info
Me_nude/ME_NUDE
New_napster_site
news_doc
Pics/PICS
S3MSONG
SEARCHURL
SETUP
Sorry_about_yesterday
stuff
YOU_are_FAT

The attachment has a double extension. The first one can be .DOC, .ZIP or .MP3, while the latter is either .SCR or .PIF.

When W32/Badtrans.B infects a computer it searches for e-mail addresses to send itself to. It finds these addresses both by scanning all *.HTM/*.HTML and *.ASP files for e-mail addresses and by using MAPI functions to read all e-mails from the infected computer´s Inbox and harvesting the e-mail addresses it finds.

The Trojan that is left on an infected computer sends information gathered from the infected computer to a Hotmail e-mail address. The Trojan is a keylogger and a password stealer. It records keystrokes on the infected machine and sends the information by e-mail. It also drops a known password stealing program on to the computer that sends out any cached passwords.

W32/Badtrans.B@mm is detected and removed with F-Prot Antivirus™ for Windows/Linux/DOS using virus definition files from the 25th of November.

Customers are strongly encouraged to update, using the Updater in F-Prot Antivirus™ for Windows, or by downloading the newest virus definition files for F-Prot Antivirus for Linux/DOS.

If you are running Windows 95 / 98 / ME:

Please Start your computer into DOS mode and use F-Prot for DOS. To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE
ME users must use Windows startup-disc to start the computer in MS-DOS mode.

In DOS mode at the command prompt type:

cd \            [ENTER]
cd progra~1     [ENTER]
cd fsi          [ENTER]
cd f-prot       [ENTER]
f-prot.exe      [ENTER]

Set the scanner to “Automatic disinfection.”

If you are running Windows NT / 2000 / XP:

1. Click “Start” / “Run”/ type “cmd” ENTER
2. Command Prompt Window appears
3. Press “Ctrl-Alt-Del” once and click on “Processes”
4. In “Processes” find “Explorer.exe” and select “End process”. The Desktop will disappear and only the background/wallpaper will be visible and the Command prompt Window.
5. Also find "kernel32.exe" and select "End process".
6. In the command prompt window type the following:

   cd \            [ENTER]
   cd program files        [ENTER]
   cd fsi          [ENTER]
   cd f-prot       [ENTER]
   
   fpcmd c: /disinf /auto /list [ENTER]
   

When the scanning is done type:

explorer [ENTER]

The Desktop should reappear and you can close the command prompt window.

If you need further information please contact our support department.