Win32:Badtrans

is a mass mailing worm which uses Outlook to reply to unread email messages. It also drops a remote access trojan to the infected computer. When executed, the worm displays an error message box. Then it saves a copy of itself into the Windows directory under the name INETD.EXE and modifies the WIN.INI file to run this program at startup. The worm uses registry entry instead of WIN.INI modification under WinNT systems:
HKEY_USERS\Software\Microsoft\Windows NT\ CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE

The worm then attempts to send itself as a reply to unread MS-Outlook messages. The message body may contain the text "Take a look to the attachment." It uses the following filenames for the attached file: Card.pif, docs.scr, fun.pif, hamster.ZIP.scr, Humor.TXT.pif, images.pif, New_Napster_Site.DOC.scr, news_doc.scr, Me_nude.AVI.pif, Pics.ZIP.scr, README.TXT.pif, s3msong.MP3.pif, searchURL.scr, SETUP.pif, Sorry_about_yesterday.DOC.pif and YOU_are_FAT!.TXT.pif.

Additional files KERN32.EXE (contains a backdoor trojan) and HKSDLL.DLL (DLL which logs the pressed keys) are written to the Windows System directory and loaded at system startup via registry.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\kernel32=kern32.exe

The trojan attempts to mail the victim's IP Address to the author. The author can then connect to the infected system via the Internet and steal personal information such as usernames, and passwords. The trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

Variants:

Win32:Badtrans-B

This modified variant has been found in November 2001. It uses the iframe exploit to run automatically on unpatched systems. It is the same trick as Nimda, Aliz or Klez, therefore it could be activated by viewing the message if you use Outlook and IE 5.01 or 5.5 without Service Pack 2.

Also the attachment name has been changed - it is now combined from three different parts: { fun | Humor | docs | info | Sorry_about_yesterday | Me_nude | Card | SETUP | stuff | YOU_are_FAT! | HAMSTER | news_doc | New_Napster_Site | README | images | Pics} { .DOC. | .MP3. | .ZIP. } { pif | scr }

The harvesting of the addresses has been extended, so it is able to send the infected messages to the addresses found in HTML and ASP pages. The name of the worm is KERNEL32.EXE and the name of the trojan is KDLL.DLL now. The worm adds the underscore "_" character on the beginning of the sender's email address to prevent the warning sent by the recipient (ie. joe@company.com becames _joe@company.com)

Removal:
* delete all infected files found on the disk
* remove the registry entry pointing to those files
* apply all security patches and service packs for Windows, Outlook and IE

Any avast! with VPS file dated on or after 20th April 2001 is able to detect the original variant of this worm. Any avast! with VPS file dated on or after 25th November 2001 is able to detect the B variant of this worm.