W32/Badtrans.B@mm spreads by e-mail via infected attachments. This new variant spreads faster than its older sibling because it uses two methods of infecting a computer. The worm can be started by clicking on the attachment (and thus running it) in any
e-mail client but it also uses a security flaw in Microsoft's Outlook and Outlook
Express. The attachment can thus be started simply by viewing or previewing the
message in Outlook and Outlook Express. A patch from Microsoft to fix this vulnerability is available on Microsoft's site:
An infected e-mail has the following characteristics:
The "From" line has either the original sender of the message, or a fake address chosen from a list by random. The list of fake addresses that the worm uses contains these names and addresses:
Rita Tulliani [email@example.com]
Kelly Andersen [Gravity49@aol.com]
Mon S [firstname.lastname@example.org]
JESSICA BENAVIDES [email@example.com]
Monika Prado [firstname.lastname@example.org]
Mary L. Adams [email@example.com]
The "Subject" line is either empty or contains only "Re:" and can even contain the "Re:" followed by a subject from an actual Inbox message.
The attachments name is chosen randomly from a list of possible filenames. These names are:
The attachment has a double extension. The first one can be .DOC, .ZIP or .MP3, while the latter is either .SCR or .PIF.
When W32/Badtrans.B infects a computer it searches for e-mail addresses to send itself to. It finds these addresses both by scanning all *.HTM/*.HTML and *.ASP files for e-mail addresses and by using MAPI functions to read all e-mails from the infected computer´s Inbox and harvesting the e-mail addresses it finds.
The Trojan that is left on an infected computer sends information gathered from the infected computer to a Hotmail e-mail address. The Trojan is a keylogger and a password stealer. It records keystrokes on the infected machine and sends the information by e-mail. It also drops a known password stealing program on to the computer that sends out any cached passwords.
W32/Badtrans.B@mm is detected and removed with F-Prot Antivirus™ for Windows/Linux/DOS using virus definition files from the 25th of November.
Customers are strongly encouraged to update, using the Updater in F-Prot Antivirus™
for Windows, or by downloading the newest virus definition files for F-Prot
Antivirus for Linux/DOS.