FRISK Software International

Summary of W32/Badtrans.B@mm
Alias:BadtransII, I-Worm.BadtransII, W95/Badtrans.B@mm
Discovered: 24 Nov 2001
Definition files: 25 Nov 2001
Risk Level: Medium
Infection Method: Mass mailing.
Payload: Logs keystrokes, password stealer
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

A new variant of the W32/Badtrans@mm, called W32/Badtrans.B@mm was found in the wild on the 24th of November. Like its predecessor it has both the characteristics of a worm and a trojan.

Technical Description

W32/Badtrans.B@mm spreads by e-mail via infected attachments. This new variant spreads faster than its older sibling because it uses two methods of infecting a computer. The worm can be started by clicking on the attachment (and thus running it) in any e-mail client but it also uses a security flaw in Microsoft's Outlook and Outlook Express. The attachment can thus be started simply by viewing or previewing the message in Outlook and Outlook Express. A patch from Microsoft to fix this vulnerability is available on Microsoft's site:

An infected e-mail has the following characteristics:

The "From" line has either the original sender of the message, or a fake address chosen from a list by random. The list of fake addresses that the worm uses contains these names and addresses:

Anna    []
Rita Tulliani    []
Tina    []
Kelly Andersen    []
Andy    []
Linda    []
Mon S    []
Joanna    []
Administrator    []
Admin    []
Support    []
Monika Prado    []
Mary L. Adams    []
Anna    []
Tina    []

The "Subject" line is either empty or contains only "Re:" and can even contain the "Re:" followed by a subject from an actual Inbox message.

The attachments name is chosen randomly from a list of possible filenames. These names are:


The attachment has a double extension. The first one can be .DOC, .ZIP or .MP3, while the latter is either .SCR or .PIF.

When W32/Badtrans.B infects a computer it searches for e-mail addresses to send itself to. It finds these addresses both by scanning all *.HTM/*.HTML and *.ASP files for e-mail addresses and by using MAPI functions to read all e-mails from the infected computer´s Inbox and harvesting the e-mail addresses it finds.

The Trojan that is left on an infected computer sends information gathered from the infected computer to a Hotmail e-mail address. The Trojan is a keylogger and a password stealer. It records keystrokes on the infected machine and sends the information by e-mail. It also drops a known password stealing program on to the computer that sends out any cached passwords.

W32/Badtrans.B@mm is detected and removed with F-Prot Antivirus™ for Windows/Linux/DOS using virus definition files from the 25th of November.

Customers are strongly encouraged to update, using the Updater in F-Prot Antivirus™ for Windows, or by downloading the newest virus definition files for F-Prot Antivirus for Linux/DOS.

Removal Instructions

If you are running Windows 95 / 98 / ME:

Please Start your computer into DOS mode and use F-Prot for DOS. To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE
ME users must use Windows startup-disc to start the computer in MS-DOS mode.

In DOS mode at the command prompt type:

cd \            [ENTER]
cd progra~1     [ENTER]
cd fsi          [ENTER]
cd f-prot       [ENTER]
f-prot.exe      [ENTER]

Set the scanner to “Automatic disinfection.”

If you are running Windows NT / 2000 / XP:

  1. Click “Start” / “Run”/ type “cmd” ENTER
  2. Command Prompt Window appears
  3. Press “Ctrl-Alt-Del” once and click on “Processes”
  4. In “Processes” find “Explorer.exe” and select “End process”. The Desktop will disappear and only the background/wallpaper will be visible and the Command prompt Window.
  5. Also find "kernel32.exe" and select "End process".
  6. In the command prompt window type the following:
    cd \            [ENTER]
    cd program files        [ENTER]
    cd fsi          [ENTER]
    cd f-prot       [ENTER]
    fpcmd c: /disinf /auto /list [ENTER]

When the scanning is done type:

explorer [ENTER]

The Desktop should reappear and you can close the command prompt window.

If you need further information please contact our support department.

FRISK Software International's Viruslab Team

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)