Mark Whitis's Website

BADtrans Worm

As of 2001-12-28, I have received 17 copies of this worm, 16 of which were from people I do not know.

The badtrans worm (similar to a virus) transmits itself via electronic mail. Once your computer is infected with this worm, it will transmit itself to:

Everyone in your address book
It replies to all unread emails with the original subject.
Everyone who has sent you mail lately. At a minimum, this includes everyone in your Inbox. It might also search other mail folders.
Everyone who posted recently to any mailing list you subscribed to will receive a copy because their return address will be on your computer and they will fall into one of the preceeding categories.

This worm sends itself as an attachment of MIME type "Audio/X-WAV". Here are some sample filenames (out of about 60 combinations):

S3MSONG.DOC.scr
fun.MP3.pif
stuff.MP3.pif
Pics.DOC.scr
Pics.DOC.scr
SETUP.DOC.scr

This worm can affect people who know enough to not open executable attachments because it disguises its executability and it executes automatically when you read the mail message even if you don't open any attachments.

Antivirus pages with more info:

antivirus.com includes a standalon program to remove this worm.
Symantec
McAfee (search on "badtrans").

Note that many anti-virus programs remove the worm from your computer but might not fix the security holes it created.

Maliciousness: The program does not appear to intentionally destroy data. The program does send itself to your correspondents. The program does introduce security holes on your computer:

It allows remote access to your computer by creating an account
It logs all keystrokes (which will include passwords) and the name of the applications they were typed into.
Presumably, the worm's author has some way to retreive the keystroke log which itself is likely to be another security hole.

If you were infected with this worm, you are also vulnerable to even more malicious programs. Even if you don't think your computer is important, you are morally liable and could be held legally liable if someone uses your insecure computer, or information stolen from it, to launch an attack on other peoples computers. You can be prosecuted for criminal negligence and sued for damages.

This email worm affects computers running Microsoft operating systems and using a microsoft email program. This is true of the vast majority of email viruses and email worms. The more microsoft software you run on your computer, the more vulnerable you are to malicious programs like this.

If you have been infected with this worm, you must:

Remove the worm
Remove the security holes created by the worm
Notify the people in your address book, recent correspondents, and any two-way mailing lists you are subscribed to that you were infected and you may have passed the infection on to them.
Intstall all microsoft security updates which apply to your system.
Make sure you have up to date anti-virus software installed on your system which scans all files daily, scans all web downloads, scans all incoming email, and regularly downloads new virus definitions.
Stop using microsoft software for email. No Microsoft Outlook. No Outlook Express. No internet explorer. Use a third party program such as: pegasus or Eudora. Of the two, pegasus appears more secure than Eudora. You can also use the mail portion of the opera web browser (with java/javascript disabled).
Stop using microsoft software for web browsing. Switch to opera with java/javascript disabled, or Netscape with java/javascript disabled.

Note that the badtrans worm typically sends email from your email address with an underscore added to the begining. This is so that when the recipients send you replies "what is this?" or "Hey, Dumbass, you sent me a virus" they will bounce. Sometimes it uses email addresses unrelated to your own but it uses the modified version of your address to people you are likely to know so it can abuse any trust you might have earned (and now lost) with the recipient.

Visit my Computer Viruses, Worms, and Trojans page for more information on these malicious programs.

If I have sent you a message notifying you that you have sent me a copy of this worm and I get another copy from you, your ISP will be notified and you will be likely to lose your internet access for Terms of Service violations. It is a violation of the terms of service of all reputable ISPs to compromise the security of someone elses computer system or attempt to do so.

Don't even think about emailing me with questions about Microsoft Windoze or any application which runs under Windoze.

This file is maintained by Mark Whitis (whitis@freelabs.com).

Senior Engineer for hire
Software Development - Electronic Design - Embedded Systems - Device Drivers - System/Network Administration and Security - Motor Control, RobotCNC - Linux/Un*x - 25+ years experience
The author of these pages is looking for a new gig.
[RESUME]

Engineers and electronic hobbyists: The new Open Symbol Project is creating open schematic symbols and PCB footprints for a variety of different CAD packages.

Mark Whitis's Website

Home Page

Linux

Book: Linux Programming Unleashed

My Resume

Genealogical Data

Contact Info

Security

About

All email messages received must pass the turing test or they will be considered SPAM. If it could have been written by a machine, it was.

Under no circumstances are you to email me with questions regarding windoze, any other microsoft operating system or application, or any software which runs under any form of windoze.