BadTrans Redux - Page 2

By Jim Freund | Posted Nov 28, 2001
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

User Education
End-users need to made aware that the attachment can look like a mundane file. Given the default settings of Windows, most users will not see the true extension of the filename, but rather a fake extension presented by the virus. Usually the attachment appears to be a Word document, Zip archive, or music file. Some of the true filenames BadTrans.B uses include:

  Card.pif 
  docs.scr 
  fun.pif 
  hamster.ZIP.scr 
  Humor.TXT.pif 
  images.pif 
  New_Napster_Site.DOC.scr 
  news_doc.scr 
  Me_nude.AVI.pif
  Pics.ZIP.scr 
  README.TXT.pif 
  s3msong.MP3.pif 
  searchURL.scr 
  SETUP.pif 
  Sorry_about_yesterday.DOC.pif 
  YOU_are_FAT!.TXT.pif
Note that several of these names have double extensions, which is how the attachment can masquerade as a different type of file.

Prevention and Removal
To alter the dangerous default behavior in Windows 9x or NT, users can open Windows Explorer, click View | Option | View, and uncheck the box with the label "Hide file extensions for known file types". In Windows 2000, the same thing can be done under Tools | Folder Options | View.

To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Go to c:\Windows\System and delete KDLL.DLL and KERNEL32.EXE. You may also want to check if this variant created IDETD.EXE as well.

As always, the bottom line is to make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments.

For more information on handling viruses, read Don't Let Viruses Knock You Out.

--
Jim Freund is the Managing Editor of CrossNodes.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter