PC Hell: BadTrans Virus Information and Help

Bad Trans and BadTrans.B Trojan Virus Information and Help

What is BadTrans Trojan Virus and How Did I Get It?

This trojan is another in a long line of trojans sent via email. Microsoft Outlook and Outlook Express or other email clients that use Windows sockets will be susceptible to this one. Once the worm attacks the system it replies to all unread email messages with itself attached to the email. The email has the same subject and message body as the original email. It also modifies the Win.ini file so that it runs at reboot.

Upon execution the virus displays the following message box:

badtrans.gif (1767 bytes)

How Do I Remove the Virus?

Because the virus modifies Win.ini, you'll want to follow these instructions to remove the line from there first.

1) Click on Start, Run
2) Type SYSEDIT and Click OK
3) Select the WIN.INI window and find the RUN line
4) Delete the following entry from the line and save the file

C:\WINDOWS\INETD.EXE

Now, run an up-to-date anti-virus program and scan your system for viruses. If you don't have an anti-virus program on your system, trying using Housecall, an online anti-virus program, but definitely purchase anti-virus software and keep it up-to-date.

You will probably find at least two files infected as BadTrans, these are KERN32.EXE and CP_23421.NLS. These should both be deleted. If your anti-virus software can't delete them, then write the path to the file down and Restart your computer in MS-DOS mode. Once in DOS mode, proceed to use the DEL command to the delete the files.

Once the files are deleted, restart Windows. This should get rid of the BadTrans virus, but be sure to update your software and run a thorough virus scan of your system to check for other viruses.

BadTrans.B Information

This variant of BadTrans logs keystrokes, sends log file including cached passwords, and sends email messages. It arrives with a randomly selected double extension filename. It uses a known vulnerability in Internet Explorer-based email software (Outlook or Outlook Express) to automatically execute the file attachment. Infecting the computer just by previewing the message.

You can read more about this vulnerability by clicking on the link below:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The virus will find unread mail to which it will reply. The subject will be "Re:". changes the From address in the header, adding an underscore (_) in front of the email address. Thus, replying to the email will be ineffective unless the _ is removed. The name of the attachment will be one of the following:

PICS

IMAGES

README

New_Napster_Site

NEWS_DOC

HAMSTER

YOU_ARE_FAT!

SEARCHURL

SETUP

CARD

ME_NUDE

Sorry_about_yesterday

S3MSONG

DOCS

HUMOR

FUN

In all cases, the worm will append two extensions. The first will be one of the following:

.doc

.mp3

.zip

The second extension that is appended to the file name is one of the following:

.pif

.scr

The log file and the cached passwords are sent to one of these addresses or some others which are currently not operational:

ZVDOHYIK@yahoo.com

udtzqccc@yahoo.com

DTCELACB@yahoo.com

I1MCH2TH@yahoo.com

WPADJQ12@yahoo.com

smr@eurosport.com

bgnd2@canada.com

muwripa@fairesuivre.com

eccles@ballsy.net

S_Mentis@mail-x-change.com

YJPFJTGZ@excite.com

JGQZCD@excite.com

XHZJ3@excite.com

OZUNYLRL@excite.com

tsnlqd@excite.com

cxkawog@krovatka.net

ssdn@myrealbox.com

If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:

"Mary L. Adams" mary@c-com.net

"Monika Prado" monika@telia.com

"Support" support@cyberramp.net

" Admin" admin@gte.net

" Administrator" administrator@border.net

"JESSICA BENAVIDES" jessica@aol.com

"Joanna" joanna@mail.utexas.edu

"Mon S" spiderroll@hotmail.com

"Linda" lgonzal@hotmail.com

" Andy" andy@hweb-media.com

"Kelly Andersen" Gravity49@aol.com

"Tina" tina0828@yahoo.com

"Rita Tulliani" powerpuff@videotron.ca

"JUDY" JUJUB271@AOL.COM

" Anna" aizzo@home.com

BadTrans.B Removal Instructions

Follow these steps for removing the BadTrans.B variant in Windows 95/98

1) Remove the virus from the Registry first. Click on START, RUN, type REGEDIT, and click OK
2) Click on the plus(+) next to the following options on the left hand side
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunOnce
3) In the right panel, look for KERNEL32.EXE
4) Click the Registry value, and then Delete it.
5) Close the Registry Editor
6) Click on Start, Shutdown, and Restart in MS-DOS Mode
7) Once the system has restarted in MS-DOS mode type the following commands to delete the virus:
CD \WINDOWS\SYSTEM (ENTER)
DEL CP_25389.NLS (ENTER)
DEL KERNEL32.EXE (ENTER)
DEL KDLL.DLL (ENTER)
8) Type EXIT to restart the computer

Because the files may be in use, you may need to restart the computer in SAFE MODE before deleting the files in Windows ME, Windows 2000, or Windows XP instead of restarting the computer in MS-DOS Mode.

Now, run a thorough virus scan of your system to check for any reinfection of the virus