Antivirus software vendors warn of new mass-mailer worm

Antivirus software vendors are issuing warnings about a new variant of a Windows-based mass-mailer worm first seen almost eight months ago, that can install a backdoor Trojan on the victim's computer to enable an attacker to take control of it.

W32/BadTrans.B, or BadTrans.B, was first detected in the U.K. during the last few days, but seems to be spreading rapidly to the U.S. as workers return from the Thanksgiving holiday. In Australia, Symantec has received 27 reports, mainly from corporates since Nov. 24. It has also scaled its virus 'threat assessment' from a Level 3 (medium) to Level 4 (severe). The W32/BadTrans.B mass-mailer worm is sufficiently different enough from the original BadTrans.A that most antivirus software vendors, including Symantec, F-Secure Corp. and Sophos PLC, are asking their customers to install new virus-signature updates for their products in order to recognize and eradicate it.

Network Associates Inc., though, says its McAfee antivirus product doesn't need a virus-signature update to detect BadTrans.B if the software has been updated to detect BadTrans.A.

However, according to Vincent Gallato, senior director at Avert Labs, the research division of Network Associates, a feature called "compressed file scanning" has to be activated in the McAfee AntiVirus desktop software to detect BadTrans.B. For customers who use McAfee's logon script virus detection, this compressed file scanning isn't required, he added.

Once it has infected a Windows-based computer, BadTrans.B spreads by mailing itself to names and addresses stored in the user's Outlook address book. The dangerous bogus e-mail arrives in the victim's e-mail box with any of 15 different attachments. The attachments might be named "Sorryaboutyesterday.doc," "humor.doc", "me_nude.doc," "fun/doc" or "hamster.doc."

Opening the attached file can infect the victim's computer with the worm. But it's not necessary to even open the file to become infected. That's because the worm exploits a MIME-based vulnerability discovered nine months ago in the Internet Explorer-based e-mail client (Microsoft Outlook or Microsoft Outlook Express) that enables the worm to activate without the user opening the attachment.

If the victim receives the e-mail with the BadTrans.B attachment and clicks to open it, the worm does several things to compromise security. First it copies itself to a KERNAL32.exe file in the Windows System directory. Then, after registering itself as a system service, the worm retrieves the user's account information, including password, and installs a keylogger on the local machine as KDLL.DLL, according to Activis, a managed security service with office in the U.K. and the U.S.

The worm records the victim's keystrokes, IP address, date, time, and the application name, to an encrypted file. It uses the victim's default e-mail settings to connect the user's SMTP server to send the information via e-mail to a specific e-mail address.

The e-mail address used by the BadTrans.B worm appears to be the same one used with BadTrans.A, said Network Associates' Gallato.

"So far as we know, it's going to an e-mail address that's been shut down," he said. But the ongoing danger associated with the BadTrans.B worm is that once it has installed its backdoor Trojan, hackers can use a variety of scanning tools to recognize a machine compromised by BadTrans.B and take advantage of it.

"If they don't clean up their machine from this, the machine is vulnerable," Gallato advised.

BadTrans.B is spreading far faster than the original BadTrans.A, according to Activis. "We're seeing a significant volume through the U.K," said John Cheney, CEO and director of operations at Activis, whose gateway service scans customer e-mail for viruses using third-party anti-virus product, plus its own scanning engine.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?