BadTrans Redux - Page 2
End-users need to made aware that the attachment can look like a mundane file. Given the default settings of Windows, most users will not see the true extension of the filename, but rather a fake extension presented by the virus. Usually the attachment appears to be a Word document, Zip archive, or music file. Some of the true filenames BadTrans.B uses include:
Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pifNote that several of these names have double extensions, which is how the attachment can masquerade as a different type of file.
Prevention and Removal
To alter the dangerous default behavior in Windows 9x or NT, users can open Windows Explorer, click View | Option | View, and uncheck the box with the label "Hide file extensions for known file types". In Windows 2000, the same thing can be done under Tools | Folder Options | View.
To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Go to c:\Windows\System and delete KDLL.DLL and KERNEL32.EXE. You may also want to check if this variant created IDETD.EXE as well.
As always, the bottom line is to make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments.
For more information on handling viruses, read Don't Let Viruses Knock You Out.