Antivirus software vendors warn of new mass-mailer worm

Antivirus software vendors are issuing warnings about a new variant of a Windows-based mass-mailer worm first seen almost eight months ago, that can install a backdoor Trojan on the victim's computer to enable an attacker to take control of it.

W32/BadTrans.B, or BadTrans.B, was first detected in the U.K. during the last few days, but seems to be spreading rapidly to the U.S. as workers return from the Thanksgiving holiday. In Australia, Symantec has received 27 reports, mainly from corporates since Nov. 24. It has also scaled its virus 'threat assessment' from a Level 3 (medium) to Level 4 (severe). The W32/BadTrans.B mass-mailer worm is sufficiently different enough from the original BadTrans.A that most antivirus software vendors, including Symantec, F-Secure Corp. and Sophos PLC, are asking their customers to install new virus-signature updates for their products in order to recognize and eradicate it.

Network Associates Inc., though, says its McAfee antivirus product doesn't need a virus-signature update to detect BadTrans.B if the software has been updated to detect BadTrans.A.

However, according to Vincent Gallato, senior director at Avert Labs, the research division of Network Associates, a feature called "compressed file scanning" has to be activated in the McAfee AntiVirus desktop software to detect BadTrans.B. For customers who use McAfee's logon script virus detection, this compressed file scanning isn't required, he added.

Once it has infected a Windows-based computer, BadTrans.B spreads by mailing itself to names and addresses stored in the user's Outlook address book. The dangerous bogus e-mail arrives in the victim's e-mail box with any of 15 different attachments. The attachments might be named "Sorryaboutyesterday.doc," "humor.doc", "me_nude.doc," "fun/doc" or "hamster.doc."

Opening the attached file can infect the victim's computer with the worm. But it's not necessary to even open the file to become infected. That's because the worm exploits a MIME-based vulnerability discovered nine months ago in the Internet Explorer-based e-mail client (Microsoft Outlook or Microsoft Outlook Express) that enables the worm to activate without the user opening the attachment.

If the victim receives the e-mail with the BadTrans.B attachment and clicks to open it, the worm does several things to compromise security. First it copies itself to a KERNAL32.exe file in the Windows System directory. Then, after registering itself as a system service, the worm retrieves the user's account information, including password, and installs a keylogger on the local machine as KDLL.DLL, according to Activis, a managed security service with office in the U.K. and the U.S.

The worm records the victim's keystrokes, IP address, date, time, and the application name, to an encrypted file. It uses the victim's default e-mail settings to connect the user's SMTP server to send the information via e-mail to a specific e-mail address.

The e-mail address used by the BadTrans.B worm appears to be the same one used with BadTrans.A, said Network Associates' Gallato.

"So far as we know, it's going to an e-mail address that's been shut down," he said. But the ongoing danger associated with the BadTrans.B worm is that once it has installed its backdoor Trojan, hackers can use a variety of scanning tools to recognize a machine compromised by BadTrans.B and take advantage of it.

"If they don't clean up their machine from this, the machine is vulnerable," Gallato advised.

BadTrans.B is spreading far faster than the original BadTrans.A, according to Activis. "We're seeing a significant volume through the U.K," said John Cheney, CEO and director of operations at Activis, whose gateway service scans customer e-mail for viruses using third-party anti-virus product, plus its own scanning engine.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?