SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Badtrans.B@mm

MEDIUM
LOW
29 KB
(I-Worm.BadtransII (KAV) Win32/Badtrans.B@mm (RAV))

Symptoms

Following files in Windows System directory:

Kernel32.exe
Cp_25389.NLS
KDLL.DLL
PROTOCOL.DLL (only after sending infected e-mails)

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender AntiBadB.exe tool does the following:
  • it deletes the files infected with Win32.Badtrans.B@mm;

  • it disinfects the files dropped by Win32.Badtrans.B@mm;

  • it kills the process from memory;

  • it repairs the Windows registry.


    • For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    You may also need to restore the affected files.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    It comes in the following format:

    From: e-mail address of the infected sender or one of the following e-mail addresses:

    "Anna" aizzo@home.com
    "JUDY" JUJUB271@AOL.COM
    "Rita Tulliani" powerpuff@videotron.ca
    "Tina" tina0828@yahoo.com
    "Kelly Andersen" Gravity49@aol.com
    " Andy" andy@hweb-media.com
    "Linda" lgonzal@hotmail.com
    "Mon S" spiderroll@hotmail.com
    "Joanna" joanna@mail.utexas.edu
    "JESSICA BENAVIDES" jessica@aol.com
    "Administrator" administrator@border.net
    "Admin" admin@gte.net
    "Support" support@cyberramp.net
    "Monika Prado" monika@telia.com
    "Mary L. Adams" mary@c-com.net

    Subject: Empty or having the following content:

    RE:
    RE: [original subject]

    Body: Empty

    Attachment: The name of the attachement is formed using one of the following words:

    fun
    Humor
    docs
    info
    Sorry_about_yesterday
    Me_nude Card
    SETUP
    stuff
    YOU_are_FAT!
    HAMSTER
    news_doc
    New_Napster_Site
    README
    images
    Pics

    The extension of the attachment could be a combination of .MP3., .DOC., .ZIP., with .scr., .pif. or just .scr or .pif.

    The worm is using the IFRAME vulnerability and it will be executed on computers with Outlook Express just by preview. Computers with security patch will be infected only by executing the attachment.

    You can find description and patch for the IFRAME exploit at this link:

    http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

    After execution the worm copies itself in Windows %System% directory under the kernel32.exe name, and it will drop the kdll.dll at the same location.

    To ensure that it will be executed at restart it adds the following registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32]

    with value kernel32.exe.

    Then it will delete itself from the location where it was executed, and it will gather computer information (like User name, computer name, RAS information, passwords, so on) and sends it to the following e-mail address: uckyjw@hotmail.com

    The Worm has two methods of getting e-mail addresses:
    It search them in *ht* and *.asp files in Internet Cache directory or it gets them with MAPI functions from e-mails received by the infected user.

    It will not send itself twice to the same address because it keeps the already used e-mail addresses in %SYSTEM%\PROTOCOL.DLL.
    Antivirus Software For Home Users
    Business Security Solutions
    Latest News
    Tools & Resources