WORM_BADTRANS.A

Malware type: Worm

Aliases: Email-Worm.Win32.Badtrans.a (Kaspersky), W32/BadTrans@MM (McAfee), W32.Badtrans.gen@mm (Symantec), Worm/BadTrans.1 (Avira), W32/Badtrans-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Medium

Description: 

This worm propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine and stays resident in memory upon execution. It spreads via email by replying to all unread email messages on the target system, with itself as an attachment. It randomly chooses the file name of the email attachment from this list:

  • Pics.ZIP.scr
  • images.pif
  • README.TXT.pif
  • New_Napster_Site.DOC.scr
  • news_doc.scr
  • hamster.ZIP.scr
  • YOU_are_FAT!.TXT.pif
  • searchURL.scr
  • SETUP.pif
  • Card.pif
  • Me_nude.AVI.pif
  • Sorry_about_yesterday.DOC.pif
  • s3msong.MP3.pif
  • docs.scr
  • Humor.TXT.pif
  • fun.pif

The email that it sends out retains the subject and message body of the original unread email, while the name of the email sender is the username of the current user.

This worm also logs all keystrokes made on the infected system and steals all cached passwords. In addition, it modifies the registry and the configuration file, WIN.INI to enable its automatic execution every Windows startup.

For additional information about this threat, see:

Description created: Apr. 12, 2001 9:52:52 AM GMT -0800
Description updated: Oct. 12, 2001 1:37:37 AM GMT -0800


TECHNICAL DETAILS


Size of malware: INETD.EXE: 13,312 Bytes
KERN32.EXE: 21,882 Bytes

Initial samples received on: Apr 13, 2001

Payload 1: Replies to all unread email messages

Trigger condition 1: Upon system startup

Details:

Arrival and Installation

Upon execution, this memory-resident worm displays a message box with the following text:

WinZip self-eXtractor File data corrupt: bad disk access or bad data transmission."

It creates a copy of itself as the file INETD.EXE, in the Windows directory and then drops the files KERN32.EXE and CP_23421.NLS in the Windows system directory.

Mailing Routine

This worm spreads via email using its own SMTP engine. It uses WSOCK32 functions to reply to all unread email messages on the target system and attaches a copy of itself to the email that is sent out. It retains the subject and message body of the original unread email and then enters the username of the current user as the sender of the email.

The email attachment may have any of the following file names:

  • Pics.ZIP.scr
  • images.pif
  • README.TXT.pif
  • New_Napster_Site.DOC.scr
  • news_doc.scr
  • hamster.ZIP.scr
  • YOU_are_FAT!.TXT.pif
  • searchURL.scr
  • SETUP.pif
  • Card.pif
  • Me_nude.AVI.pif
  • Sorry_about_yesterday.DOC.pif
  • s3msong.MP3.pif
  • docs.scr
  • Humor.TXT.pif
  • fun.pif

Autostart Techniques

This worm creates this registry entry to be able to execute itself automatically during Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce
kernel32 = "kern32.exe"

It also modifies the configuration file, WIN.INI, so that the copy of the worm, INETD.EXE, executes automatically during Windows startup:

run=%Windows%\INETD.EXE

*where %Windows% is Windows directory, which is usually C:\Windows or C:\WINNT.

Password Stealing Routine

This worm checks cached passwords and logs all keystrokes made on the infected system so that it can steal passwords. Its dropped file, KERN32.EXE, is responsible for carrying out this routine.

It utilizes the non-malicious data file, CP_23421.NLS, to store all keystrokes made on the infected system, while the file HKSDLL.DLL is used to check the state of the keyboard.

(Note: Trend Micro detects KERN32.EXE and HKSDLL.DLL as WORM_BADTRANS.A.)

Revision History:

First pattern file version: 5.612.13
First pattern file release date: Oct 22, 2008

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 5.613.00

Pattern release date: Oct 22, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_BADTRANS.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_BADTRANS.A.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  3. In the right panel, locate and delete the entry or entries:
    kernel32 = "kern32.exe"
  4. Close Registry Editor.

Removing Autostart Entries from System Files

A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

  1. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
  2. In System Configuration Editor, select the WIN.INI window.
  3. Under the [windows] section, locate the lines that begin with:
    load =
    run =
  4. From the same lines, delete the malware path and filename:
    %Windows%\INETD.EXE
    %Windows% refers to the Windows directory, usually C:\Windows or C:\WinNT.
  5. Close System Configuration Editor and click Yes when prompted to save.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_BADTRANS.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.