1. The virus is called W32.Badtrans.B. My husband got it in an email and when he opened the message the viurs was instantly send to everyone in his address book. Which is about 150 people . Along with the virus sending out mass emails it also installes a password program the erases your passwords into site (that's how I understood it anyway)....for example had to logon to the BB whereas usually I am automatically signed in. The virus does not destroy your hard drive. We are still in the process of deleted it with a virus scan program...but it is kinda tricky. Here is some more info on it:

    W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.

    Type: Worm

    Infection Length: 29,020 bytes

    Virus Definitions: November 24, 2001

    Large scale e-mailing: Uses MAPI commands to send email.
    Compromises security settings: Installs keystroke logging Trojan horse.

    Name of attachment: randomly chosen from preset list

    Size of attachment: 29,020 bytes

    Technical description:
    This worm arrives as an email with one of several attachment names and a combination of two appended extensions. It contains a set of bits that control its behavior:

    001 Log every window text
    002 Encrypt keylog
    004 Send log file to one of its addresses
    008 Send cached passwords
    010 Shut down at specified time
    020 Use copyname as registry name (else kernel32)
    040 Use kernel32.exe as copyname
    080 Use current filename as copypath (skips 100 check)
    100 Copy to /system/ (else copy to /windows/)

    When it is first executed, it copies itself to /System/ or /Windows/ as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file \System\Cp_25389.nls and drops System\Kdll.dll which contains the key logging code.

    NOTE: /Windows/ and /System/ are variables. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

    A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters:


    These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Cyrillic versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to one of these addresses:

    After 20 seconds, the worm will shut down if the appropriate control bit is set.

    If RAS support is present on the computer, then the worm will wait for an active RAS connection. When one is made, with a 33% chance, the worm will search for email addresses in *.ht* and *.asp in %Personal% and Internet Explorer %Cache%. If it finds addresses in these files, then it will send mail to those addresses. The attachment name will be one of the following:


    In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be "Re:". In that case, the attachment name will be one of the following:


    In all cases, the worm will append two extensions. The first will be one of the following:


    The second extension that is appended to the file name is one of the following:


    The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr.

    If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:

    "Mary L. Adams" <>
    "Monika Prado" <>
    "Support" <>
    " Admin" <>
    " Administrator" <>
    "Joanna" <>
    "Mon S" <>
    "Linda" <>
    " Andy" <>
    "Kelly Andersen" <>
    "Tina" <>
    "Rita Tulliani" <>
    " Anna" <>

    Email messages use the malformed MIME exploit to allow the attachment to execute in Microsoft Outlook without prompting. For information on this, go to:

    The worm writes email addresses to the %System%\Protocol.dll file to prevent multiple emails to the same person.

    After sending mail, the worm adds the value

    Kernel32 kernel32.exe

    to the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce

    This will run the worm the next time that you start Windows.

    Removal instructions:

    To remove this worm, follow the instructions for your operating system.

    Basic instructions

    Windows 95/98/Me

    1. Restart Windows in Safe Mode
    2. Run Norton AntiVirus and delete all files that are detected as W32.Badtrans.B@mm.
    3. Remove the value that it added to the registry.

    For detailed instructions, see the sections that follow.

    Windows NT/2000
    1. Rename the file Kernel32.exe.
    2. Remove the value added to the registry.
    3. Restart the computer.
    4. Run Norton AntiVirus and delete all files that are detected as W32.Badtrans.B@mm.

    For detailed instructions, see the sections that follow.

    Detailed instructions

    To restart 95/98/Me in Safe mode:
    For instructions, read the document How to restart Windows 9x or Windows Me in Safe Mode.

    To Rename the file Kernel32.exe under Windows NT/2000
    1. Click Start, point to Find or Search, and click Files or Folders.
    2. Make sure that "Look in" is set to (C and that Include subfolders is checked.
    3. In the "Named" or "Search for..." box, type the following:


    CAUTION: Make sure that you type the full name as shown. You must rename the Kernel32.exe file, not the legitimate Windows file Kernel32.dll

    4. Click Find Now or Search Now.
    5. Right-click the file that is displayed and then click Rename.
    6. Rename the file to Kernel32.old and press Enter.
    7. Close the Find or Search window.
    8. Restart the computer.

    To run Norton AntiVirus and delete detected files:

    CAUTION: Make sure that you are in Safe mode (Windows 95/98/Me) or have already renamed the Kernel32.exe file (Windows NT/2000).

    1. Run LiveUpdate to make sure that you have the most recent virus definitions.
    2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
    3. Run a full system scan.
    4. Delete all files that are detected as W32.Badtrans.B@mm.

    To edit the registry:

    CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce

    4. In the right pane, delete the following value:

    Kernel32 kernel32.exe

    5. Click Registry, and then click Exit.

    Additional information:


    Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
    Home users should not open any email that has an attachment in which the second extension is .pif or .scr. Any email that has such an attachment should be deleted.
    Last edit by misti_z on Nov 27, '01
  2. 4 Comments

  3. by   Ted
    Thank you for the warning!!!!

    Just found to email messages with the same characteristics as what you described in your post. I did not open them, thank goodness!!! Also, luckily I found them at while using the computer at work and not my home computer (hopefully it doesn't harm this work computer . . . YIKES!!!)

    So, folks, be on the warning as "misti_z" suggests!!!

    Ted Fiebke
  4. by   CEN35
    hello all,

    while i have not really felt like posting or doing much else lately, i felt the need to inform you all of a few things you can do to help prevent this problem.

    we have all heard of the norton and symantec anti-virus programs, there also are many other options. one of the problems with email, is you are giving your computer the authorization to download a virus or other things. however, if you are not aware of it, people can access your computer while online, and install a virus or get personal info if they wanted, without you ever knowing it. there are a few things you can do though........ i have tried some different programs. there is one out there that is awesome. you can use it in addition to your anti-virus stuff.

    i'm not sure what is considered advertising? or not? or what all can be said? any interest in some help? send me a pm. or .com? can't remember......will check your ports.......... then for an awesome selfcontrolled firewall.
    Last edit by CEN35 on Nov 30, '01
  5. by   kennedyj
    You can also put in a fake email as your first in your address book or set to send/receive manually if you use MS outlook that way you will get a huge stack in your outbox and can delete later not sending it. If you put an email like AAA**((.*** it may find this as an error and stop transmission. Some worms can send ip/cookies to allow someone to get into your computer. I use a firewall called zonelock that tells me if any programs are trying to connect to the net.

    Many viruses are going I have received 4 in about the last few months.

    Best advice- dont open up any unusual files with odd extensions .doc.pif, pif, dat, .bat and be very careful with .exe as many cute programs may have an underlying virus. The antivirus always comes out after the virus..LOL
  6. by   kennedyj
    This is funny. I just cleaned the same virus off my computer today. My Norton AV update was 2 weeks old and didnt catch it , but after I updated it it scanned it. Luckily the firewall program caught the emails from going out. It places a few lines in your kernl.dll files to help it autoexecute. symantec has a good cleaning program. You will also need to disable your autorecovery settings (right click my computer>properties>performance>file system >trouble shooting then check the disable system restore)

    This one has been lurking around a lot.

    You should change your passwords because it also sends password lists and anything in your cache to the hosts email address. Especially if you any auto logon or saved passwords so you dont have to enter every time. If you dont have a firewall check this one out. It have been rated very good and has a free unlimited download. I would recommend it.