LU: Library and Technical Services (LTS)

W32.Badtrans.B@mm

W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes in an attempt to steal passwords and other critical information. The virus contains a set of bits that control its behavior.
A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters: LOG, PAS, REM, CON, TER, NET. These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Cyrillic versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to a remote address.

Symptoms of the Virus
The virus arrives via email in Microsoft Outlook and attempts to send itself by replying to unread email messages. The email
may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in length. The attachment name is created from three sections and may be named any of the following: Pics, images, README, New_Napster_Site, news_doc, HAMSTER, YOU_are_FAT!, stuff, SETUP, Card, Me_nude, Sorry_about_yesterday, info, docs, Humor, fun. The appended file extension will be .pif or.scr. After infection,, the worm adds the value "kernel32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This will run the worm the next time that you start Windows.

To Remove the Virus
If you are unsure how to perform any of these steps, please call the help desk or your desktop consultant first.
These instructions are for Windows 95/98/Me:
1. Restart Windows in Safe Mode
2. Run Command AntiVirus and delete all files that are detected as W32.Badtrans.B@mm.
3. Remove the value "kernel32.exe" that it added to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
(*Important: ALWAYS backup the system registry before making any changes.)

Please call the helpdesk (8-HELP) for assistance.

If you have, or think you have been infected with any type of virus or trojan program please contact your desktop consultant or the security staff to report your instance so that we can help to prevent others from also being infected.

Last updated: Friday, 23-Aug-2002 11:23:36 EDT