[email protected]

Aliases: W32/Badtrans-A, W32/[email protected], BadTrans, I-Worm.Badtrans, WORM_BADTRANS.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Fast
Geographical info: Europe, US, Asia
Removal: Easy
Platform: W32
Discovered: 11 Apr 2001
Damage: Medium

Characteristics: The [email protected] worm is a MAPI or Messaging Application Programming Interface worm that can reply to every unread message in a user’s email message folder. It is also known to install a backdoor Trojan in a compromised system.

More details about [email protected]

The [email protected] worm spreads under Win32 systems. It sends e-mail messages with the infected attached files. It also installs a Trojan component the spies to steal information from the compromised system. The [email protected] worm installs the Hkk32.exe backdoor Trojan in the C:\ Windows folder then runs it. It will then copy its code in the folder C:\ Windows as the file inetd.exe and then add to the Win.ini file the run=line. It will then show a popup message with the title ‘Install Error’. The message says ‘File data corrupt: probably due to bad data transmission or bad disk access’. When the infected system is restarted, the malware will wait for a few minutes then utilize MAPI to locate unread email messages and respond to them.

This virus allegedly has a multi-component structure that consists of two different components dropped on a disk as different files and run as stand-alone or exclusive programs (e-mail Worm and Trojan). The "Worm" routine is the main component, keeping a "Trojan" program body in its code, and installs it into the system while infecting a new machine. This virus will likewise attach itself to the email and use the following filenames: Humor.TXT.pif, fun.pif, docs.scr, s3msong.MP3.pif, Sorry_about_yesterday.DOC.pif, Me_nude.AVI.pif, Card.pif, SETUP.pif, searchURL.scr, YOU_are_FAT!.TXT.pif, hamster.ZIP.scr, news_doc.scr, New_Napster_Site.DOC.scr, README.TXT.pif, images.pif, and Pics.ZIP.scr. The [email protected] worm component operates like the "I-Worm.ZippedFiles"(aka ExploreZip) worm: by using Windows MAPI functions. Through thia, it gains access to the Inbox and replies to all unread messages.