Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||Badtrans.B,, I-Worm.Badtrans.B, Badtrans.B@MM, W32/Badtrans.B@MM|
It logs the keystrokes typed by the user in order to obtain confidential information about the user, such as passwords or usernames. It sends itself from the affected computer to all the senders of the email messages marked as unread.
|Detection updated on:||July 27, 2007|
|Yes, using TruPrevent Technologies
Badtrans.B is a worm that reaches computers in a file attached to an email message that appears to be a reply to a previously sent email.
The danger of Badtrans.B lies in the following features:
- It is automatically activated when the email message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows email attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
- It has a high capacity to spread by camouflaging itself.
- When Badtrans.B affects a computer, it replies to all the email messages marked as unread. By doing this, it tricks the recipients into believing that they have received a reply to a message that they have sent.
- It obtains and exposes confidential user data by dropping a Trojan in the computer.
Badtrans.B is easy to recognize, as it reaches the computer in an email message with the following characteristics:
- Sender: one of the following:
"Mary L. Adams" email@example.com
- Attachments: it has a variable name and a double extension:
Possible names:FUN, HUMOR, DOCS, INFO, SORRY_ABOUT_YESTERDAY, ME_NUDE, CARD, SETUP, STUFF, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, NEW_NAPSTER_SITE, README, IMAGES, PICS.
Possible first extensions: MP3, ZIP, DOC.
Possible second extensions: PIF, SCR.
For example: HUMOR.DOC.PIF or CARD.ZIP.SCR.