While major anti-virus software vendors report the global threat as limited, Morgan told ZDNet Australia that the virus has become particularly prevalent in Australia since it was first detected on Saturday. A revamped version of the equally awkwardly named W32badtrans.13312@mn, the virus is designed to install a backdoor Trojan which picks up passwords by reading keystrokes.
Dinesh Rajalingam, technical director at the Melbourne-based Virus Defence Bureau points out that while the W32badtrans@mn is not as immediately destructive as some of the more virulent viruses, it is nonetheless capable of compromising the security of infected machines.
-It is not going to wipe your hard drive, but it will certainly pick up on all your passwords," said Rajalingam. -Those most at risk are people with signature based virus protection, because they are unlikely to recognise the virus unless it has already been updated."
Rajalingam said computer owners and users are better advised to implement behaviour-based anti-virus software, as it would register the unusual behaviour of the virus and neutralise it before it had time to compromise the system.
In a similar vein, Symantec is advising companies to revise e-mail filtering systems to make sure they block attachments with the extensions .scr and .pif.
David Banes, regional manager for Symantec's security response team, said the W32badtrans@mn was particularly hard to detect without software as it was constantly changing its three letter file type.
-This virus appears under a number of names both in terms of the attachment and the file type," Banes said. -End users should update their anti-virus software and keep an eye out for any unusual e-mails."
How it works
Badtrans.B arrives as e-mail. It replies to old e-mail, so the subject line is one that someone has already sent you, so you might be inclined to open it. The e-mail message itself is empty. Badtrans.B includes an attached file whose name is created from the following list:
-
FUN
HUMOR
DOCS
S3MSONG
Sorry_about_yesterday
ME_NUDE
CARD
SETUP
SEARCHURL
YOU_ARE_FAT!
HAMSTER NEWS_DOC
New_Napster_Site
README
IMAGES
PICS
The attachment is a DOC, MP3, or ZIP file, with a second extension of either SCR or PIF. For example, an attached file might be named Readme.doc.scr.
Users need not open the attached file to infect their machines. Badtrans uses a known vulnerability in Internet Explorer that automatically opens attachments. In this case, the attached file contains Troj.PWS-AV, a password-stealing Trojan horse. Troj.PWS-AV records all keystrokes and the application name where a keystroke was typed, storing it in encrypted form. The Trojan then connects to a SMTP server to send the log file to a Hotmail e-mail address.
Prevention
Badtrans.B uses a known vulnerability in Outlook Express that is included in Internet Explorer 5.01 and 5.5. Microsoft has released a patch. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6.
Removal
Most antivirus software companies have updated their signature files to include this worm. For more information on removing this worm from your system, see Central Command, F-Secure, Kaspersky,McAfee, Sophos, Symantec, or Trend Micro.
We have been hit by a number of nasty viruses lately. The MagistrA and MagistrB were the first to arrive and were widespread around our area on unprotected computers or those with out of date virus protection. Since then we have installed Norton Antivirus 2000 and Norton Internet Security. They are working well! The Trojan 'Back Orifice' and "Back Door' have been most common intruder attempts and the BadtransB virus was detected last week. Keep Protected there are heaps of nasties around!!!!