Badtrans.B is an e-mail worm. We first started seeing it on the 24th of November, 2001. The worm automatically sends infected attachments. The attachment may execute automatically when the emails are viewed.
Badtrans.B is spreading through Microsoft Windows systems. Not only does the virus send email messages with infected attached files, it also installs a spying "Trojan horse" component that steals private information from infected systems.
The virus consists of two main components:
Important Points
The worm usually comes as an email with a return address that starts with an underscore (such as, "Wilson's Auction" _auction@aol.com .) The subject line of the email usually reads:
Subject: Re:
The worm also drops an additional keyboard hooker into the system. The worm then spies on any text entered by the victim.
After the worm completes the installation process, it deletes the original infected file.
The worm's attachment might execute automatically when the emails are viewed. To do this Badtrans.B uses a known vulnerability in Microsoft Internet Explorer that allows automatic execution of an email attachment.
The worm also drops a password stealing Trojan called KDLL.DLL.
The worm only sends one infected email to each email address.
The Trojan may go undetected by virus protection software.