ISS X-Force Database: badtrans-worm(7607): Badtrans worm with keystroke logging functionality

Badtrans worm with keystroke logging functionality

badtrans-worm (7607)

High Risk

Description:

Badtrans is a mass-emailer worm that includes some enhanced functionality to record an infected user's keystrokes. Badtrans is not intentionally destructive to files or data, but it may cause network traffic difficulties.

The Badtrans worm employs three main components:

the Microsoft Malformed MIME header exploit
a MAPI mass emailing engine
keystroke logging functionality

The author of the Badtrans worm used a modified version of the "Hooker" keystroke logging software, which was designed to gather security-sensitive information on the host by looking for passwords, gathering IP addresses, and capturing keystrokes. The Badtrans worm sends such information to one of several email addresses.

Consequences:

Gain Access

Remedy:

To remove the BadTrans worm from your system:

CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

Delete the CP_25389.NLS file from the C:\Windows\System directory or the C:\Winnt\System32 directory (depending on your configuration).
Using regedit, find the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key.
Delete the kernel32 value.
Restart your computer.

References:

McAfee Virus Information Library: W32/Badtrans@MM.
Microsoft Security Bulletin MS01-020: Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.
Symantec Security Response: W32.Badtrans.B@mm.

Platforms Affected:

Microsoft Windows 2000
Microsoft Windows 2003 Server
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows NT 4.0
Microsoft Windows XP

Reported:

Nov 24, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page