BadTrans Redux - Page 2

 By Jim Freund | Posted Nov 28, 2001
Page 2 of 2   |  Back to Page 1
Print Article

User Education
End-users need to made aware that the attachment can look like a mundane file. Given the default settings of Windows, most users will not see the true extension of the filename, but rather a fake extension presented by the virus. Usually the attachment appears to be a Word document, Zip archive, or music file. Some of the true filenames BadTrans.B uses include:

Note that several of these names have double extensions, which is how the attachment can masquerade as a different type of file.

Prevention and Removal
To alter the dangerous default behavior in Windows 9x or NT, users can open Windows Explorer, click View | Option | View, and uncheck the box with the label "Hide file extensions for known file types". In Windows 2000, the same thing can be done under Tools | Folder Options | View.

To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Go to c:\Windows\System and delete KDLL.DLL and KERNEL32.EXE. You may also want to check if this variant created IDETD.EXE as well.

As always, the bottom line is to make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments.

For more information on handling viruses, read Don't Let Viruses Knock You Out.

Jim Freund is the Managing Editor of CrossNodes.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter

By submitting your information, you agree that enterprisenetworkingplanet.com may send you ENTERPRISENetworkingPLANET offers via email, phone and text message, as well as email offers about other products and services that ENTERPRISENetworkingPLANET believes may be of interest to you. ENTERPRISENetworkingPLANET will process your information in accordance with the Quinstreet Privacy Policy.