WIN32/Badtrans.29020.A

Alias: W32.Badtrans.B@mm, W32/Badtrans-B, I-Worm.BadtransII

Win32/Badtrans.29020.A is yet another, “remodelled“ version of WIN32/Badtrans worm. It spreads via infected e-mail attachment and taking advantage of the IFRAME security hole.
The e-mail attachment uses the double extension trick to desgise its real identity. The first extension is either .DOC, .ZIP or .MP3, while the second one (.SCR or .PIF) may not be visible in some systems.
The attachment name varies and can acquire one of the following values: Pics, images, README, New_Napster_Site, info, news_doc, HAMSTER, YOU_are_FAT!, stuff, SETUP, Card, Me_nude, Sorry_about_yesterday, docs, Humor, fun, SEARCHURL, S3MSONG

The infected message Subject line is either an empty field, ‘RE:‘ string, or, eventually, it contains a randomply selected subject from the Inbox folder.

The sender address is either a real address or a faked one. The address of a recipient can be either found via MAPI from the Inbox, or searching the *.HT* or *.ASP files.

To avoid sending the worm repeatedly to the same user/s, a PROTOCOL.DLL log file is created. This file contains the list of recipients of the infected mail.

The body of the worm is stored in the kernel32.exe file located in Windows system directory.

Activation of the worm is provided by the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Kernel32=kernel32.exe
in the corresponding registry.

The worm also installs a Trojan on the infected system. The latter creates a log/file KDLL.DLL of the keystrokes pressed on the infected computer keyboard and sends them to alternative address from an internal list. The Log file is stored in a file CP_25389.NLS.

NOD32, ver. 1.126 and higher detects and cleans the infiltration.