What
is BadTrans Trojan Virus and How Did I Get It?
This trojan is another in a long line of trojans
sent via email. Microsoft Outlook and Outlook
Express or other email clients that use Windows
sockets will be susceptible to this one. Once the
worm attacks the system it replies to all unread
email messages with itself attached to
the email. The email has the same subject and
message body as the original email. It also
modifies the Win.ini file so that it runs at
reboot.
Upon execution the
virus displays the following message box:
How
Do I Remove the Virus?
Because
the virus modifies Win.ini, you'll want to follow
these instructions to remove the line from there
first.
1)
Click on Start, Run
2) Type SYSEDIT and Click OK
3) Select the WIN.INI window and find the RUN
line
4) Delete the following entry from the line and
save the file
C:\WINDOWS\INETD.EXE
Now,
run an up-to-date anti-virus program and scan
your system for viruses.
You
will probably find at least two files infected as
BadTrans, these are KERN32.EXE and CP_23421.NLS.
These should both be deleted. If your anti-virus
software can't delete them, then write the path
to the file down and Restart your computer in
MS-DOS mode. Once in DOS mode, proceed to use the
DEL command to the delete the files.
Once
the files are deleted, restart Windows. This
should get rid of the BadTrans virus, but be sure
to update your software and run a thorough virus
scan of your system to check for other viruses.
BadTrans.B
Information
This
variant of BadTrans logs keystrokes, sends log
file including cached passwords, and sends email
messages. It arrives with a randomly selected
double extension filename. It uses a known
vulnerability in Internet Explorer-based email
software (Outlook or Outlook Express) to
automatically execute the file attachment.
Infecting the computer just by previewing the
message.
You can read more about this vulnerability by
clicking on the link below:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The
virus will find unread mail to which it will
reply. The subject will be "Re:".
changes the From address in the header, adding an
underscore (_) in front of the email address.
Thus, replying to the email will be ineffective
unless the _ is removed. The name of the
attachment will be one of the following:
- PICS
- IMAGES
- README
- New_Napster_Site
- NEWS_DOC
- HAMSTER
- YOU_ARE_FAT!
- SEARCHURL
- SETUP
- CARD
- ME_NUDE
- Sorry_about_yesterday
- S3MSONG
- DOCS
- HUMOR
- FUN
In all cases, the worm will append two
extensions. The first will be one of the
following:
The second extension that is appended to the
file name is one of the following:
The
log file and the cached passwords are sent to one
of these addresses or some others which are
currently not operational:
- ZVDOHYIK@yahoo.com
- udtzqccc@yahoo.com
- DTCELACB@yahoo.com
- I1MCH2TH@yahoo.com
- WPADJQ12@yahoo.com
- smr@eurosport.com
- bgnd2@canada.com
- muwripa@fairesuivre.com
- eccles@ballsy.net
- S_Mentis@mail-x-change.com
- YJPFJTGZ@excite.com
- JGQZCD@excite.com
- XHZJ3@excite.com
- OZUNYLRL@excite.com
- tsnlqd@excite.com
- cxkawog@krovatka.net
- ssdn@myrealbox.com
If SMTP information can be found on the
computer, then it will be used for the From:
field. Otherwise, the From: field will be one of
these:
- "Mary L. Adams" mary@c-com.net
- "Monika Prado" monika@telia.com
- "Support" support@cyberramp.net
- " Admin" admin@gte.net
- " Administrator" administrator@border.net
- "JESSICA BENAVIDES" jessica@aol.com
- "Joanna" joanna@mail.utexas.edu
- "Mon S" spiderroll@hotmail.com
- "Linda" lgonzal@hotmail.com
- " Andy" andy@hweb-media.com
- "Kelly Andersen" Gravity49@aol.com
- "Tina" tina0828@yahoo.com
- "Rita Tulliani" powerpuff@videotron.ca
- "JUDY" JUJUB271@AOL.COM
- " Anna" aizzo@home.com
BadTrans.B
Removal Instructions
Follow
these steps for removing the BadTrans.B variant
in Windows 95/98
1)
Remove the virus from the Registry first. Click
on START, RUN, type REGEDIT, and click OK
2) Click on the plus(+) next to the following
options on the left hand side
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunOnce
3) In the right panel, look for KERNEL32.EXE
4) Click the Registry value, and then Delete it.
5) Close the Registry Editor
6) Click on Start, Shutdown, and Restart in
MS-DOS Mode
7) Once the system has restarted in MS-DOS mode
type the following commands to delete the virus:
CD \WINDOWS\SYSTEM (ENTER)
DEL CP_25389.NLS (ENTER)
DEL KERNEL32.EXE (ENTER)
DEL KDLL.DLL (ENTER)
8) Type EXIT to restart the computer
Because the files may be in use, you
may need to restart the computer in SAFE MODE
before deleting the files in Windows ME, Windows
2000, or Windows XP instead of restarting the
computer in MS-DOS Mode.
Now, run a thorough virus scan of your system
to check for any reinfection of the virus.
USING
Spyware Doctor TO REMOVE THIS TROJAN AUTOMATICALLY!
More Detection and Removal Introductions for Other Worms
| 
