Bad Trans and BadTrans.B Trojan Virus Information and Help

What is BadTrans Trojan Virus and How Did I Get It?

This trojan is another in a long line of trojans sent via email. Microsoft Outlook and Outlook Express or other email clients that use Windows sockets will be susceptible to this one. Once the worm attacks the system it replies to all unread email messages with itself attached to the email. The email has the same subject and message body as the original email. It also modifies the Win.ini file so that it runs at reboot.

Upon execution the virus displays the following message box:

badtrans.gif (1767 bytes)

How Do I Remove the Virus?

Because the virus modifies Win.ini, you'll want to follow these instructions to remove the line from there first.

1) Click on Start, Run
2) Type SYSEDIT and Click OK
3) Select the WIN.INI window and find the RUN line
4) Delete the following entry from the line and save the file

C:\WINDOWS\INETD.EXE

Now, run an up-to-date anti-virus program and scan your system for viruses. If you don't have an anti-virus program on your system, trying using Housecall, an online anti-virus program, but definitely purchase anti-virus software and keep it up-to-date.

You will probably find at least two files infected as BadTrans, these are KERN32.EXE and CP_23421.NLS. These should both be deleted. If your anti-virus software can't delete them, then write the path to the file down and Restart your computer in MS-DOS mode. Once in DOS mode, proceed to use the DEL command to the delete the files.

Once the files are deleted, restart Windows. This should get rid of the BadTrans virus, but be sure to update your software and run a thorough virus scan of your system to check for other viruses.

BadTrans.B Information

This variant of BadTrans logs keystrokes, sends log file including cached passwords, and sends email messages. It arrives with a randomly selected double extension filename. It uses a known vulnerability in Internet Explorer-based email software (Outlook or Outlook Express) to automatically execute the file attachment. Infecting the computer just by previewing the message.

You can read more about this vulnerability by clicking on the link below:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The virus will find unread mail to which it will reply. The subject will be "Re:". changes the From address in the header, adding an underscore (_) in front of the email address. Thus, replying to the email will be ineffective unless the _ is removed. The name of the attachment will be one of the following:

  • PICS
  • IMAGES
  • README
  • New_Napster_Site
  • NEWS_DOC
  • HAMSTER
  • YOU_ARE_FAT!
  • SEARCHURL
  • SETUP
  • CARD
  • ME_NUDE
  • Sorry_about_yesterday
  • S3MSONG
  • DOCS
  • HUMOR
  • FUN

In all cases, the worm will append two extensions. The first will be one of the following:

  • .doc
  • .mp3
  • .zip

The second extension that is appended to the file name is one of the following:

  • .pif
  • .scr

The log file and the cached passwords are sent to one of these addresses or some others which are currently not operational:

  • ZVDOHYIK@yahoo.com
  • udtzqccc@yahoo.com
  • DTCELACB@yahoo.com
  • I1MCH2TH@yahoo.com
  • WPADJQ12@yahoo.com
  • smr@eurosport.com
  • bgnd2@canada.com
  • muwripa@fairesuivre.com
  • eccles@ballsy.net
  • S_Mentis@mail-x-change.com
  • YJPFJTGZ@excite.com
  • JGQZCD@excite.com
  • XHZJ3@excite.com
  • OZUNYLRL@excite.com
  • tsnlqd@excite.com
  • cxkawog@krovatka.net
  • ssdn@myrealbox.com

If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:

  • "Mary L. Adams" mary@c-com.net
  • "Monika Prado" monika@telia.com
  • "Support" support@cyberramp.net
  • " Admin" admin@gte.net
  • " Administrator" administrator@border.net
  • "JESSICA BENAVIDES" jessica@aol.com
  • "Joanna" joanna@mail.utexas.edu
  • "Mon S" spiderroll@hotmail.com
  • "Linda" lgonzal@hotmail.com
  • " Andy" andy@hweb-media.com
  • "Kelly Andersen" Gravity49@aol.com
  • "Tina" tina0828@yahoo.com
  • "Rita Tulliani" powerpuff@videotron.ca
  • "JUDY" JUJUB271@AOL.COM
  • " Anna" aizzo@home.com

BadTrans.B Removal Instructions

Follow these steps for removing the BadTrans.B variant in Windows 95/98

1) Remove the virus from the Registry first. Click on START, RUN, type REGEDIT, and click OK
2) Click on the plus(+) next to the following options on the left hand side
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunOnce
3) In the right panel, look for KERNEL32.EXE
4) Click the Registry value, and then Delete it.
5) Close the Registry Editor
6) Click on Start, Shutdown, and Restart in MS-DOS Mode
7) Once the system has restarted in MS-DOS mode type the following commands to delete the virus:
CD \WINDOWS\SYSTEM (ENTER)
DEL CP_25389.NLS (ENTER)
DEL KERNEL32.EXE (ENTER)
DEL KDLL.DLL (ENTER)
8) Type EXIT to restart the computer

Because the files may be in use, you may need to restart the computer in SAFE MODE before deleting the files in Windows ME, Windows 2000, or Windows XP instead of restarting the computer in MS-DOS Mode.

Now, run a thorough virus scan of your system to check for any reinfection of the virus

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google