Q-C Online support pages
Technical support article

About the "Bad Transmission" or "BadTrans" Worm



Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans, I-Worm.Badtrans, TROJ_BADTRANS.A

W32.Badtrans.@mm is the latest virus spreading through the Internet over E-mail using Outlook and Outlook Express. It is a MAPI worm that replies to all unread mails in your e-mail message folders, whether they are new or old. When it comes to you, the recipient, it will be from someone you know, most likely it will be a reply to a message you sent to them. The original verion had text of: "Take a look to the attachment". The latest version of this virus comes with no message body at all, only the attachment. Common file names for the attachments are listed below.

When the older verions of worm is executed, it drops the backdoor Trojan Hkk32.exe in the \Windows folder, and then executes it. It then copies itself into the Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays the following message:



The next time that the computer is rebooted, the worm will wait for 5 minutes, then it will use MAPI to find all unread email messages and reply to all of them. The worm also drops a file kern32.exe, which is a password-stealing Trojan, Troj/Keylog-C, into the Windows system directory and changes the registry key
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe
Both virus variations make it so that the Trojan runs at Windows startup. When the Trojan runs, it attempts to send user-confidential information such as passwords, operating system details and keyboard keys pressed to an attacker. The worm will attach itself to the e-mail, using several different file names. Most appear as if the file has multiple extensions, such as:

Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif

To remove this or any other virus, update your anti-virus software immediately and run a thorough scan of your machine. Your best defense against a virus is to always remember to never download any strange attachment, especially if you do not know who it is coming from. If you do not know what a specific attachment is, reply to the person who sent it to you and ask, do not download. Your second line of defense should be having, and running, an up to date Anti-Virus application. For more information on virus updates and anti-virus software, visit our Virus Information section.


Local events heading








  Today is Monday, Oct. 20, the 293rd day of 2014. There are 72 days left in the year.

1864 -- 150 years ago: The store of Devoe and Crampton was entered and robbed of about $500 worth of gold pens and pocket cutlery last night.
1889 -- 125 years ago: Michael Malloy was named president of the Tri-City Stone Cutters Union.
1914 -- 100 years ago: Dewitte C. Poole, former Moline newspaperman serving as vice consul general for the United States government in Paris, declared in a letter to friends that the once gay Paris is a city of sadness and desolation.
1939 -- 75 years ago: Plans for the construction of an $80,000 wholesale bakery at 2011 4th Ave. were announced by Harry and Nick Coin, of Rock Island. It is to be known as the Banquet Bakery.
1964 -- 50 years ago: An application has been filed for a state permit to organize a savings and loan association in Moline, it was announced. The applicants are Ben Butterworth, A.B. Lundahl, C. Richard Evans, John Harris, George Crampton and William Getz, all of Moline, Charles Roberts, Rock Island, and Charles Johnson, of Hampton.
1989 -- 25 years ago: Indian summer is quickly disappearing as temperatures slide into the 40s and 50s this week. Last week, highs were in the 80s.


(More History)