Guest guest Posted May 20, 2001 Report Share Posted May 20, 2001 Win32.Badtrans.13312 Badtrans is a worm spreading via e-mail. The worm replies to all unread messages and attaches itself using one of the following 16 names: fun.pif Humor.TXT.pif docs.scr s3msong.MP3.pif Sorry_about_yesterday.DOC.pif Me_nude.AVI.pif Card.pif SETUP.pif searchURL.scr YOU_are_FAT!.TXT.pif hamster.ZIP.scr news_doc.scr New_Napster_Site.DOC.scr README.TXT.pif images.pif Pics.ZIP.scr When a user opens the attachment, the worm copies itself to the Windows directory as: inetd.exe and modifies the file win.ini by including the line executing that program. Additionally, the Badtrans worm, drops a backdoor trojan (Win32.Badtrans.21882 Trojan). The worm creates and executes a 21882-byte file in the Windows System directory: kern32.exe and modifies the registry in order to run it on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe The Trojan, which is in fact a backdoor server also uses its own library: hksdll.dll (a 5632-byte file created in the same directory). Detection for this worm/trojan ( both Win32.Badtrans.13312 worm and Win32.Badtrans.21882 Trojan) has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection: CA Anti-Virus Product Engine/Signature InoculateIT 4.x 22.65 InoculateIT 6.0 23.40.65 InoculateIT Personal Edition 5.2/1185 VET 10.3/1185 To get the free Inoculate It Personal Edition go to http://antivirus.cai.com/ Trisha Please forgive the cross posting. <G> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.