[an error occurred while processing this directive] [an error occurred while processing this directive]
[an error occurred while processing this directive]

[an error occurred while processing this directive]









[an error occurred while processing this directive]








Tech Update Security
Beware Badtrans.B
By Robert Vamosi
ZDNet Reviews
November 26, 2001

TalkBack! Add your opinion

[an error occurred while processing this directive]

A revised version of the Badtrans worm from April 2001 is loose on the Internet. Badtrans.B behaves in a similar manner to the original, loading a password-stealing Trojan horse that can log keystrokes and reveal password and credit card information to malicious users. However, this version uses a vulnerability in Internet Explorer that automatically opens the e-mail attachments when previewed. Reports from all over the world state that this worm is spreading. Because the worm sends e-mail and automatically executes on some computers, Badtrans.B ranks a 6 on the ZDNet Virus Meter.

How it works
Badtrans.B arrives as e-mail. It replies to old e-mail, so the subject line is one that someone has already sent you, so you might be inclined to open it. The e-mail message itself is empty. Badtrans.B includes an attached file whose name is created from the following list:

    FUN
    HUMOR
    DOCS
    S3MSONG
    Sorry_about_yesterday
    ME_NUDE
    CARD
    SETUP
    SEARCHURL
    YOU_ARE_FAT!
    HAMSTER NEWS_DOC
    New_Napster_Site
    README
    IMAGES
    PICS

The attachment is a DOC, MP3, or ZIP file, with a second extension of either SCR or PIF. For example, an attached file might be named Readme.doc.scr.

Users need not open the attached file to infect their machines. Badtrans uses a known vulnerability in Internet Explorer that automatically opens attachments. In this case, the attached file contains Troj.PWS-AV, a password-stealing Trojan horse. Troj.PWS-AV records all keystrokes and the application name where a keystroke was typed, storing it in encrypted form. The Trojan then connects to a SMTP server to send the log file to a Hotmail e-mail address.

Prevention
Badtrans.B uses a known vulnerability in Outlook Express that is included in Internet Explorer 5.01 and 5.5. Microsoft has released a patch. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6.

Removal
Most antivirus software companies have updated their signature files to include this worm. For more information on removing this worm from your system, see Central Command, F-Secure, Kaspersky,McAfee, Sophos, Symantec, or Trend Micro.


[an error occurred while processing this directive]
[an error occurred while processing this directive]




[an error occurred while processing this directive]




TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.


Enterprise Alerts
IT Management
IT Professionals
Online Shopping
System Administration
Linux

Manage My Newsletters




[an error occurred while processing this directive] [an error occurred while processing this directive]