Antivirus software vendors warn of new mass-mailer worm

Antivirus software vendors are issuing warnings about a new variant of a Windows-based mass-mailer worm first seen almost eight months ago, that can install a backdoor Trojan on the victim's computer to enable an attacker to take control of it.

W32/BadTrans.B, or BadTrans.B, was first detected in the U.K. during the last few days, but seems to be spreading rapidly to the U.S. as workers return from the Thanksgiving holiday. In Australia, Symantec has received 27 reports, mainly from corporates since Nov. 24. It has also scaled its virus 'threat assessment' from a Level 3 (medium) to Level 4 (severe). The W32/BadTrans.B mass-mailer worm is sufficiently different enough from the original BadTrans.A that most antivirus software vendors, including Symantec, F-Secure Corp. and Sophos PLC, are asking their customers to install new virus-signature updates for their products in order to recognize and eradicate it.

Network Associates Inc., though, says its McAfee antivirus product doesn't need a virus-signature update to detect BadTrans.B if the software has been updated to detect BadTrans.A.

However, according to Vincent Gallato, senior director at Avert Labs, the research division of Network Associates, a feature called "compressed file scanning" has to be activated in the McAfee AntiVirus desktop software to detect BadTrans.B. For customers who use McAfee's logon script virus detection, this compressed file scanning isn't required, he added.

Once it has infected a Windows-based computer, BadTrans.B spreads by mailing itself to names and addresses stored in the user's Outlook address book. The dangerous bogus e-mail arrives in the victim's e-mail box with any of 15 different attachments. The attachments might be named "Sorryaboutyesterday.doc," "humor.doc", "me_nude.doc," "fun/doc" or "hamster.doc."

Opening the attached file can infect the victim's computer with the worm. But it's not necessary to even open the file to become infected. That's because the worm exploits a MIME-based vulnerability discovered nine months ago in the Internet Explorer-based e-mail client (Microsoft Outlook or Microsoft Outlook Express) that enables the worm to activate without the user opening the attachment.

If the victim receives the e-mail with the BadTrans.B attachment and clicks to open it, the worm does several things to compromise security. First it copies itself to a KERNAL32.exe file in the Windows System directory. Then, after registering itself as a system service, the worm retrieves the user's account information, including password, and installs a keylogger on the local machine as KDLL.DLL, according to Activis, a managed security service with office in the U.K. and the U.S.

The worm records the victim's keystrokes, IP address, date, time, and the application name, to an encrypted file. It uses the victim's default e-mail settings to connect the user's SMTP server to send the information via e-mail to a specific e-mail address.

The e-mail address used by the BadTrans.B worm appears to be the same one used with BadTrans.A, said Network Associates' Gallato.

"So far as we know, it's going to an e-mail address that's been shut down," he said. But the ongoing danger associated with the BadTrans.B worm is that once it has installed its backdoor Trojan, hackers can use a variety of scanning tools to recognize a machine compromised by BadTrans.B and take advantage of it.

"If they don't clean up their machine from this, the machine is vulnerable," Gallato advised.

BadTrans.B is spreading far faster than the original BadTrans.A, according to Activis. "We're seeing a significant volume through the U.K," said John Cheney, CEO and director of operations at Activis, whose gateway service scans customer e-mail for viruses using third-party anti-virus product, plus its own scanning engine.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?