Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32.Badtrans.B@mm, W32/Badtrans-B, I-Worm.BadtransII

Win32/Badtrans.29020.A is another, considerably revised variant of the worm Win32/Badtrans.13312.  It spreads as a file attachment of email messages.  It uses the known trick with double extension, where the first file extension is .DOC, .ZIP or .MP3 and the second one, in some system configurations not visible, is .SCR or .PIF.  The file name may be one of the following (some variants may have all capital letters): Pics, images, README, New_Napster_Site, info, news_doc, HAMSTER, YOU_are_FAT!, stuff, SETUP, Card, Me_nude, Sorry_about_yesterday, docs, Humor, fun, SEARCHURL, S3MSONG
Subject of the message is either blank or it contains the string RE:.  In some cases it may be followed by a subject chosen from the message in the folder with received mail Inbox.  The sender's address may be real or fake; addresses of victims are obtained either by means of MAPI from the Incoming box (Inbox) or by searching through files *.HT* or *.ASP.  To prevent sending the e-mail message to the same address many times the worm keeps the necessary data in the file PROTOCOL.DLL and checks the address before sending the message to it.  The virus body is in the system directory Windows (as a standard \Windows\System) under the name KERNEL32.EXE.  Badtrans ensures its activation by means of creating a key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Kernel32=kernel32.exe 

The worm installs a Trojan horse in the infected system.  The Trojan horse registers keystrokes in the file KDLL.DLL a then sends the file  to the address  Log on activities is recorded in a file with name CP_25389.NLS.  Anti-virus system NOD32 cleans this virus starting from the virus database version 1.126.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.


ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.




Solutions - Products - Purchase - Download - Support - Threat Center - Partners - Company - Global Sites
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.