Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
Badtrans has the following effects:
- It replies to all the unread messages in the affected computer and attaches a file that contains the worm.
- It displays the following error message on screen when the file carrying it is run:
Infection strategy
Badtrans creates the following files:
- HKK32.EXE, in the Windows system directory. This file is a copy of the worm, which Badtrans deletes later.
- INETD.EXE, in the Windows directory. This is a copy of the file that will be attached to the e-mail messages that Badtrans sends out.
- KERN32.EXE, in the Windows system directory. This file, which is a copy of the worm, attaches an infected PIF or SCR file to the e-mail messages sent out by Badtrans.
Badtrans modifies the following file:
- WIN.INI. It adds the following line:
run =C:\WINDOWS\INETD.EXE.
By adding this line, Badtrans ensures that it is run whenever Windows is started.
Badtrans creates the following entries in the Windows Registry:
Means of transmission
Badtrans spreads in an e-mail message that appears to be a reply to a message previously sent by the user, and has the following characteristics:
- Attachments: the file name is different in each message but always has a PIF or SCR extension. It can be one of the following:
PICS.ZIP.SCR
IMAGES.PIF
README.TXT.PIF
NEW_NAPSTER_SITE.DOC.SCR
NEWS_DOC.SCR
HAMSTER.ZIP.SCR
YOU_ARE_FAT!.TXT.PIF
SEARCHURL.SCR
SETUP.PIF
CARD.PIF
ME_NUDE.AVI.PIF
SORRY_ABOUT_YESTERDAY.DOC.PIF
S3MSONG.MP3.PIF
DOCS.SCR
HUMOR.TXT.PIF
FUN.PIF
When this file is opened, Badtrans carries out its infection and sends itself as a reply to all the unread messages in the Inbox.
Further Details
Badtrans is 13,312 bytes in size.