Virus Alert: W32/BadTrans Worm Spreading
Over the weekend, home e-mail users have reported the spread of a new e-mail worm that targets vulnerabilities in Microsoft Outlook and Outlook Express to send itself to unanswered e-mail in the user's inbox.
According to user reports and virus resource sites, W32/BadTrans arrives with a message subject heading beginning with "Re:" - and often nothing else. The e-mail carries an attachment with two variable filename attachments; however, Windows may hide the existence of the second file extension from the user. Note that the virus can activate itself when the e-mail is viewed; turning off the Preview window option can help.
With the virus spreading over the weekend, CERT advised commercial e-mail system managers to block all e-mail bearing attachments with the extensions .scr and .pif. Home users should not open any e-mail that has an attachment in which the second extension is .pif or .scr. Any e-mail that has such an attachment should be deleted.
If activated, W32/BadTrans downloads an executable file, "Kernel32.exe" to the Windows directory and two other files to the Windows/System directory: "kdll.dll" and "cp_25389.nls". Kdll.dll includes a routine to record keystrokes and cached passwords from the infected computer into the "cp_25389.nls" file in encrypted form. The keystroke file is then mailed to one of several e-mail addresses.
The program also sets a registry key that will need to be removed. The process for complete removal of the virus and the registry key is explained at the Symantec Security Response Center. A tool for removing the virus is also provided at this site.