You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Badtrans.B

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Badtrans.B carries out the following actions:

  • It logs the keystrokes typed by the user, by dropping a Trojan in the computer.
  • This way, it can obtain confidential information about the user, such as any type of passwords, usernames, etc.
  • It replies to the unread messages in the affected computer, including the worm as an attached file.

Infection strategy 

Badtrans.B creates the following files in the Windows system directory:

  • KERNEL32.EXE, which is a copy of the worm.
  • KDLL.DLL. This file belongs to the Trojan PSW.Hooker.24.h, which logs the keystrokes typed by the user.
  • CP_25389.NLS, which is an encrypted file where the keystrokes are stored.

 

Badtrans.B creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce
    Kernel32 = kernel32.exe
    By creating this entry, Badtrans.B ensures that it is run whenever Windows is started.

Means of transmission 

#nombrevrius# spreads via email. It follows the routine below:

  • It reaches the computer in an email message that appears to be a reply to a message previously sent by the user, and which has the following characteristics:

    Sender: one of the following:
    "Anna" <aizzo@home.com>
    "JUDY" <JUJUB271@AOL.COM>
    "Rita Tulliani" <powerpuff@videotron.ca>
    "Tina" <tina0828@yahoo.com>
    "Kelly Andersen" <Gravity49@aol.com>
    "Andy" <andy@hweb-media.com>
    "Linda" <lgonzal@hotmail.com>
    "Mon S" <spiderroll@hotmail.com>
    "Joanna" <joanna@mail.utexas.edu>
    "JESSICA BENAVIDES" <jessica@aol.com>
    "Administrator" <administrator@border.net>
    "Admin" <admin@gte.net>
    "Support" <support@cyberramp.net>
    "Monika Prado" <monika@telia.com>
    "Mary L. Adams" mary@c-com.net
    Badtrans.B can modify the address of the sender of the message by adding an underscore to the beginning of it. This leads to an incorrect address error when replying to this message.

    Subject:
    Re: m

    Attachments: it has a variable name and a double extension:
    Possible names: FUN, HUMOR, DOCS, INFO, SORRY_ABOUT_YESTERDAY, ME_NUDE, CARD, SETUP, STUFF, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, NEW_NAPSTER_SITE, README, IMAGES, PICS.
    Possible first extensions: MP3, ZIP, DOC.
    Possible second extensions: PIF, SCR.
    For example: HUMOR.DOC.PIF, CARD.ZIP.SCR, etc.
  • The computer is affected when the attached file is run, or when the email message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
  • #nombrevrius# sends itself out to all the addresses that:
    - Exist in the Inbox of the affected computer.
    - It gathers from files with an ASP extension, or files with an extension that begins with HT.

Further Details  

Badtrans.B is written in the programming language Visual C++ v6. This worm is 29,088 bytes in size.

Additionally, it contains the following text in its code, though it is not shown at any moment: