Opening this mass-mailing worm's attachment could leave you stranded in an email traffic jam.
Badtrans is an Internet worm that sends copies of itself by replying to all unread email found on the infected computer. Badtrans also carries a password-stealing Trojan horse. Although Badtrans does not damage individual computers infects, but it may increase traffic on email servers to excessive levels forcing them to shut down. Reports of Badtrans are increasing slowly worldwide, and several antivirus software vendors have issued alerts.
How it works
Badtrans arrives as an email, usually carrying a subject line in response to an email you have previously sent.
Subject: (anything)
Body: "Take a look to the attachment".
Attachment: Badtrans randomly chooses from one of the following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
If one of the above files is opened, Badtrans displays this message:
"File data corrupt probably due to bad data transmission or bad disk access."
Badtrans then copies itself to the Windows directory under the name IDETD.EXE and adds this file name to the Win.ini file so that the file runs each time the computer restarts.
Badtrans also drops a password-stealing Trojan horse, Keylog-C, into the Windows system directory. Keylog attempts to send information such as operating system details and personal passwords via the Internet back to the Trojan author. Kern32.exe, the main file of this Trojan, is added to the Win.ini file so that it will launch each time the computer is restarted.
6%
2%
