Leave bad virus be

Leave bad virus be

W32.Badtrans variants of an old 32-bit Microsoft Windows worm last month infected tens of thousands of computers.

On PCs without the latest security patches, even selecting an infected Microsoft Outlook e-mail for deletion will activate the virus. Once running, the worm replicates itself by mass-mailing to every unopened message address in the Outlook inbox.

It hides in the system directory as files named kern32.exe, kernel32.exe, kdll.dll or hksdll.dll.. It also drops a Trojan horse into infected systems to scan for passwords, log-in names and credit card information. It attempts to e-mail what it finds, along with IP addresses, back to the virus creator.

Deleting the above files can manually destroy Badtrans. Updating security patches prevents accidental execution by selecting its e-mail vector for deletion.

The GCN Lab tested antivirus programs from McAfee.com Corp. of Sunnyvale, Calif., Symantec Corp. of Cupertino, Calif., and Trend Micro Inc. of Tokyo on Badtrans-infected computers. All the programs required the latest updates to be effective. A free Web virus scanner at www.housecall.antivirus.com can detect Badtrans but not clean it without download of a 30-day trial version of Trend Micro's PC-cillin.

Last week a similar worm called Goner began making the rounds. Less dangerous than Badtrans, Goner works only if a user runs an attached .exe file disguised as a screen saver.

About the Author

John Breeden II is a freelance technology writer for GCN.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above