muckshifter
11-26-2001, 04:33 PM
BadTrans.B
A new variant of the BadTrans virus emerged on November 24, 2001. Dubbed W32.Badtrans.b by antivirus vendors, this new variant selects various options from three different lists to compose its attachment. The filename is selected from one of the following names: FUN, HUMOR, DOCS, S3MSONG, Sorry_about_yesterday, ME_NUDE, CARD, SETUP, SEARCHURL, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, New_Napster_Site, README, IMAGES, PICS. BadTrans.b uses a double extension ruse to take advantage of a vulnerability in the default settings of Windows. Unless the default settings are modified, users will not see the actual file extension, but rather the fake extension presented by the virus. This erroneous extension will be either .DOC, .MP3, or .ZIP. The Attachments Center provides instructions for changing default settings in Microsoft® Windows so that file extension viewing is properly enabled. The actual extension of the BadTrans attachment will be either .pif or .scr.
According to antivirus vendor Sophos, if the attached file is run, it copies itself into the Windows system directory with the filename KERNEL32.EXE and changes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the worm runs the next time Windows is started. As part of its infection routing, BadTrans.B also drops a password stealing Trojan, Troj.PWS.A - which logs keystrokes in an attempt to capture sensitive data such as user login information.
BadTrans.b will automatically execute the attachment in Microsoft® Outlook and Outlook Express, if using Internet Explorer version 5.01 or 5.5 (click Help | About in Internet Explorer to discover your version). In the case of Outlook Express, it infects simply by the email appearing in the Preview Pane. While this was resolved some time ago in Microsoft Security Bulletin (MS01-020), many users (if not most) have not installed the patch. If you aren't sure how to interpret your version number to see whether you need the patch, Microsoft has a helpful page to help you determine the exact version. BadTrans.b is not the first virus to exploit this vulnerability; the Nimda worm used the same tactic.
BadTrans.b changes the From address in the header, prepending an underscore (_) to the address. Thus, replying to the email will be ineffective unless the _ is removed.
Removal Instructions
If possible, use updated antivirus software to detect and remove the virus. To remove the virus manually requires editing the system registry and should not be attempted unless familiar with such edits.
To remove manually:
Browse to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce registry key and remove the value "KERNEL32.EXE"
Reboot the system (preferably into DOS mode), change to the Windows\System directory, and delete the following files:
kdll.dll
KERNEL32.EXE
Last updated: November 26, 2001
http://antivirus.about.com/library/weekly/mcurrent.htm
Remember:
Any executable has the potential to harbor a virus infection.
Beware of attachments received unexpectedly, even if from a known source.
Don't open files that have double extensions.
Make sure you have file extension viewing enabled:
In Windows 95/98/NT, do this by opening Windows Explorer. Click View | Options | View and uncheck the box for "Hide file extensions for known file types". You can also do this by via Windows Explorer View | Options | File Types menu. Locate the desired file type(s) and check the "Always Show..." checkbox).
In Windows 2000/XP, users will find the settings under Control Panel | Tools | Folder Options | View or Tools | Folder Options | File Types, locate the file type(s) desired and choose Advanced. Then check the box "Always Show Extension".
The above instructions will display all file extensions except for .SHS files. To display .SHS file extensions, one additional step is required.
After following the above instructions, users must then edit the Registry, HKEY_CLASSES_ROOT\ShellScrap, deleting the value "NeverShowExt".
as always ... back it up first
:hat:
A new variant of the BadTrans virus emerged on November 24, 2001. Dubbed W32.Badtrans.b by antivirus vendors, this new variant selects various options from three different lists to compose its attachment. The filename is selected from one of the following names: FUN, HUMOR, DOCS, S3MSONG, Sorry_about_yesterday, ME_NUDE, CARD, SETUP, SEARCHURL, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, New_Napster_Site, README, IMAGES, PICS. BadTrans.b uses a double extension ruse to take advantage of a vulnerability in the default settings of Windows. Unless the default settings are modified, users will not see the actual file extension, but rather the fake extension presented by the virus. This erroneous extension will be either .DOC, .MP3, or .ZIP. The Attachments Center provides instructions for changing default settings in Microsoft® Windows so that file extension viewing is properly enabled. The actual extension of the BadTrans attachment will be either .pif or .scr.
According to antivirus vendor Sophos, if the attached file is run, it copies itself into the Windows system directory with the filename KERNEL32.EXE and changes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the worm runs the next time Windows is started. As part of its infection routing, BadTrans.B also drops a password stealing Trojan, Troj.PWS.A - which logs keystrokes in an attempt to capture sensitive data such as user login information.
BadTrans.b will automatically execute the attachment in Microsoft® Outlook and Outlook Express, if using Internet Explorer version 5.01 or 5.5 (click Help | About in Internet Explorer to discover your version). In the case of Outlook Express, it infects simply by the email appearing in the Preview Pane. While this was resolved some time ago in Microsoft Security Bulletin (MS01-020), many users (if not most) have not installed the patch. If you aren't sure how to interpret your version number to see whether you need the patch, Microsoft has a helpful page to help you determine the exact version. BadTrans.b is not the first virus to exploit this vulnerability; the Nimda worm used the same tactic.
BadTrans.b changes the From address in the header, prepending an underscore (_) to the address. Thus, replying to the email will be ineffective unless the _ is removed.
Removal Instructions
If possible, use updated antivirus software to detect and remove the virus. To remove the virus manually requires editing the system registry and should not be attempted unless familiar with such edits.
To remove manually:
Browse to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce registry key and remove the value "KERNEL32.EXE"
Reboot the system (preferably into DOS mode), change to the Windows\System directory, and delete the following files:
kdll.dll
KERNEL32.EXE
Last updated: November 26, 2001
http://antivirus.about.com/library/weekly/mcurrent.htm
Remember:
Any executable has the potential to harbor a virus infection.
Beware of attachments received unexpectedly, even if from a known source.
Don't open files that have double extensions.
Make sure you have file extension viewing enabled:
In Windows 95/98/NT, do this by opening Windows Explorer. Click View | Options | View and uncheck the box for "Hide file extensions for known file types". You can also do this by via Windows Explorer View | Options | File Types menu. Locate the desired file type(s) and check the "Always Show..." checkbox).
In Windows 2000/XP, users will find the settings under Control Panel | Tools | Folder Options | View or Tools | Folder Options | File Types, locate the file type(s) desired and choose Advanced. Then check the box "Always Show Extension".
The above instructions will display all file extensions except for .SHS files. To display .SHS file extensions, one additional step is required.
After following the above instructions, users must then edit the Registry, HKEY_CLASSES_ROOT\ShellScrap, deleting the value "NeverShowExt".
as always ... back it up first
:hat: