| This trojan is another in a long line of trojans sent via email. Microsoft Outlook and Outlook Express or other email clients that use Windows sockets will be susceptible to this one. Once the worm attacks the system it replies to all unread email messages with itself attached to the email. The email has the same subject and message body as the original email. It also modifies the Win.ini file so that it runs at reboot. |
Upon execution the virus displays the following message box:
How Do I Remove the Virus?
Because the virus modifies Win.ini, you'll want to follow these instructions to remove the line from there first.
1)
Click on Start, Run
2) Type SYSEDIT and Click OK
3) Select the WIN.INI window and find the RUN line
4) Delete the following entry from the line and save the file
C:\WINDOWS\INETD.EXE
Now, run an up-to-date anti-virus program and scan your system for viruses. If you don't have an anti-virus program on your system, trying using Housecall, an online anti-virus program, but definitely purchase anti-virus software and keep it up-to-date.
You will probably find at least two files infected as BadTrans, these are KERN32.EXE and CP_23421.NLS. These should both be deleted. If your anti-virus software can't delete them, then write the path to the file down and Restart your computer in MS-DOS mode. Once in DOS mode, proceed to use the DEL command to the delete the files.
Once the files are deleted, restart Windows. This should get rid of the BadTrans virus, but be sure to update your software and run a thorough virus scan of your system to check for other viruses.
BadTrans.B Information
This
variant of BadTrans logs keystrokes, sends log file including cached
passwords, and sends email messages. It arrives with a randomly
selected double extension filename. It uses a known vulnerability in
Internet Explorer-based email software (Outlook or Outlook Express) to
automatically execute the file attachment. Infecting the computer just
by previewing the message.
You can read more about this vulnerability by clicking on the link
below:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The virus will find unread mail to which it will reply. The subject will be "Re:". changes the From address in the header, adding an underscore (_) in front of the email address. Thus, replying to the email will be ineffective unless the _ is removed. The name of the attachment will be one of the following:
- PICS
- IMAGES
- README
- New_Napster_Site
- NEWS_DOC
- HAMSTER
- YOU_ARE_FAT!
- SEARCHURL
- SETUP
- CARD
- ME_NUDE
- Sorry_about_yesterday
- S3MSONG
- DOCS
- HUMOR
- FUN
In all cases, the worm will append two extensions. The first will be one of the following:
- .doc
- .mp3
- .zip
The second extension that is appended to the file name is one of the following:
- .pif
- .scr
The
log file and the cached passwords are sent to one of these addresses or
some others which are currently not operational:
- ZVDOHYIK@yahoo.com
- udtzqccc@yahoo.com
- DTCELACB@yahoo.com
- I1MCH2TH@yahoo.com
- WPADJQ12@yahoo.com
- smr@eurosport.com
- bgnd2@canada.com
- muwripa@fairesuivre.com
- eccles@ballsy.net
- S_Mentis@mail-x-change.com
- YJPFJTGZ@excite.com
- JGQZCD@excite.com
- XHZJ3@excite.com
- OZUNYLRL@excite.com
- tsnlqd@excite.com
- cxkawog@krovatka.net
- ssdn@myrealbox.com
If
SMTP information can be found on the computer, then it will be used for
the From: field. Otherwise, the From: field will be one of these:
- "Mary L. Adams" mary@c-com.net
- "Monika Prado" monika@telia.com
- "Support" support@cyberramp.net
- " Admin" admin@gte.net
- " Administrator" administrator@border.net
- "JESSICA BENAVIDES" jessica@aol.com
- "Joanna" joanna@mail.utexas.edu
- "Mon S" spiderroll@hotmail.com
- "Linda" lgonzal@hotmail.com
- " Andy" andy@hweb-media.com
- "Kelly Andersen" Gravity49@aol.com
- "Tina" tina0828@yahoo.com
- "Rita Tulliani" powerpuff@videotron.ca
- "JUDY" JUJUB271@AOL.COM
- " Anna" aizzo@home.com
BadTrans.B Removal Instructions
Follow these steps for removing the BadTrans.B variant in Windows 95/98
1)
Remove the virus from the Registry first. Click on START, RUN, type
REGEDIT, and click OK
2) Click on the plus(+) next to the following options on the left hand
side
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunOnce
3) In the right panel, look for KERNEL32.EXE
4) Click the Registry value, and then Delete it.
5) Close the Registry Editor
6) Click on Start, Shutdown, and Restart in MS-DOS Mode
7) Once the system has restarted in MS-DOS mode type the following
commands to delete the virus:
CD \WINDOWS\SYSTEM (ENTER)
DEL CP_25389.NLS (ENTER)
DEL KERNEL32.EXE (ENTER)
DEL KDLL.DLL (ENTER)
8) Type EXIT to restart the computer
Because the files may be in use, you may need to restart the computer in SAFE MODE before deleting the files in Windows ME, Windows 2000, or Windows XP instead of restarting the computer in MS-DOS Mode.
Now, run a thorough virus scan of your system to check for any reinfection of the virus
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
