HighBadtrans is a mass-emailer worm that includes some enhanced functionality to record an infected user's keystrokes. Badtrans is not intentionally destructive to files or data, but it may cause network traffic difficulties.
The Badtrans worm employs three main components:
- the Microsoft Malformed MIME header exploit
- a MAPI mass emailing engine
- keystroke logging functionality
The author of the Badtrans worm used a modified version of the "Hooker" keystroke logging software, which was designed to gather security-sensitive information on the host by looking for passwords, gathering IP addresses, and capturing keystrokes. The Badtrans worm sends such information to one of several email addresses.
To remove the BadTrans worm from your system:
CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.
- Delete the CP_25389.NLS file from the C:\Windows\System directory or the C:\Winnt\System32 directory (depending on your configuration).
- Using regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key.
- Delete the kernel32 value.
- Restart your computer.
Symantec Security Response
W32.Badtrans.B@mm
http://www.sarc.com/avcenter/venc/data/w32.badtrans.b@mm.html
McAfee Virus Information Library
W32/Badtrans@MM
http://vil.nai.com/vil/content/v_99069.htm
Microsoft Security Bulletin MS01-020
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
ISS X-Force
Badtrans worm with keystroke logging functionality
http://www.iss.net/security_center/static/7607.php
