Opening this mass-mailing worm's attachment could leave you stranded in an email traffic jam.

Badtrans is an Internet worm that sends copies of itself by replying to all unread email found on the infected computer. Badtrans also carries a password-stealing Trojan horse. Although Badtrans does not damage individual computers infects, but it may increase traffic on email servers to excessive levels forcing them to shut down. Reports of Badtrans are increasing slowly worldwide, and several antivirus software vendors have issued alerts.

How it works
Badtrans arrives as an email, usually carrying a subject line in response to an email you have previously sent.

Subject: (anything)

Body: "Take a look to the attachment".

Attachment: Badtrans randomly chooses from one of the following file names:

Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif

If one of the above files is opened, Badtrans displays this message:

"File data corrupt probably due to bad data transmission or bad disk access."

Badtrans then copies itself to the Windows directory under the name IDETD.EXE and adds this file name to the Win.ini file so that the file runs each time the computer restarts.

Badtrans also drops a password-stealing Trojan horse, Keylog-C, into the Windows system directory. Keylog attempts to send information such as operating system details and personal passwords via the Internet back to the Trojan author. Kern32.exe, the main file of this Trojan, is added to the Win.ini file so that it will launch each time the computer is restarted.

Removal and prevention

Most of the antivirus softare vendors have updated their signature files to include Badtrans, including Central Command, Sophos, Trend Micro, Symantec. To remove Badtrans, simply download the newest version of your antivirus software and run a virus scan.

Prevention
Here are the basic steps for containing the worm:

1. Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express.

2. "Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as Badtrans are being actively circulated. Even if the email is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

3. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking your Anti Virus software homepage.

4. Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

5. Scan your system regularly. If you're just loading antivirus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

6. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.