BadTrans Redux

BadTrans is back with a bit more vengeance -- but still controllable if you know how to take care of it. Read on to learn about how to identify this virus, its behavior, effects, and how to eradicate it manually, if needs be.

 By Jim Freund
Page 1 of 2
Print Article

Viruses don't get eradicated -- usually they spawn variants, imitators, and occasional rte-introductions. The latter instance appears to be the case with BadTrans, a mass mail exploiter that first reared its ugly head last April. Many end-users in enterprises along with home and small business users returned from the four-day holiday to find one or more instances of the virus in their virtual Inboxes. This variant has been dubbed BadTrans.B by anti-virus software vendors.

The payload of the virus is spread as an e-mail attachment which can have any number of variations in the subject line, recipient, or sender, but, as always, invites the reader to launch an attachment. Once this is done, the attachment sends out e-mails to folk in the victim's address book, attempting to spawn again.

What It Does
The payload is not destructive in and of itself, but as with all mass-mailing viruses, it can cause the equivalent of a Denial of Service attack to e-mail gateways as a result of the outgoing mail it sends. More importantly, BadTrans.B poses a security threat by placing files in the Windows\System directory as KERNEL32.EXE and/or INETD.EXE and changes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the Trojan will be executed the next time Windows is launched. If INETD.EXE was also created, the Registry entry HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows RUN = C:\WINDOWS\INETD.EXE is created as well.

Once the malicious program is run, it attempts to send the IP address of the infected machine to the hacker, provides back-door access to the machine, and runs another program to log the users' keystrokes.

The good news is that most anti-virus software, such as Norton or McAfee Anti-Virus, already have the capability to catch the Trojan before it is launched, even given its new variant. The bad news is that there are still a great many systems where virus signatures are woefully out-of-date, and end-users are not properly educated about the danger of launching attachments from unverified sources. In the case of BadTrans.B, as with Nimda, the payload can be launched automatically from Outlook Express' preview pane unless measures have been taken to prevent this default behavior. (See below for specific instructions.)

This article was originally published on Nov 28, 2001
Get the Latest Scoop with Networking Update Newsletter