W32/Badtrans-A, W32/[email protected]
, BadTrans, I-Worm.Badtrans, WORM_BADTRANS.A
Category: Computer Worm
Active and Spreading
Europe, US, Asia
11 Apr 2001
The [email protected]
worm is a MAPI or Messaging Application Programming Interface worm that can reply to every unread message in a user’s email message folder. It is also known to install a backdoor Trojan in a compromised system.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
worm spreads under Win32 systems. It sends e-mail messages with the infected attached files. It also installs a Trojan component the spies to steal information from the compromised system. The [email protected]
worm installs the Hkk32.exe backdoor Trojan in the C:\ Windows folder then runs it. It will then copy its code in the folder C:\ Windows as the file inetd.exe and then add to the Win.ini file the run=line. It will then show a popup message with the title ‘Install Error’. The message says ‘File data corrupt: probably due to bad data transmission or bad disk access’. When the infected system is restarted, the malware will wait for a few minutes then utilize MAPI to locate unread email messages and respond to them.
This virus allegedly has a multi-component structure that consists of two different components dropped on a disk as different files and run as stand-alone or exclusive programs (e-mail Worm and Trojan). The "Worm" routine is the main component, keeping a "Trojan" program body in its code, and installs it into the system while infecting a new machine. This virus will likewise attach itself to the email and use the following filenames: Humor.TXT.pif, fun.pif, docs.scr, s3msong.MP3.pif, Sorry_about_yesterday.DOC.pif, Me_nude.AVI.pif, Card.pif, SETUP.pif, searchURL.scr, YOU_are_FAT!.TXT.pif, hamster.ZIP.scr, news_doc.scr, New_Napster_Site.DOC.scr, README.TXT.pif, images.pif, and Pics.ZIP.scr. The [email protected]
worm component operates like the "I-Worm.ZippedFiles"(aka ExploreZip) worm: by using Windows MAPI functions. Through thia, it gains access to the Inbox and replies to all unread messages.