Leave bad virus be

Leave bad virus be

• By John Breeden II
• Dec 07, 2001

W32.Badtrans variants of an old 32-bit Microsoft Windows worm last month infected tens of thousands of computers.

On PCs without the latest security patches, even selecting an infected Microsoft Outlook e-mail for deletion will activate the virus. Once running, the worm replicates itself by mass-mailing to every unopened message address in the Outlook inbox.

It hides in the system directory as files named kern32.exe, kernel32.exe, kdll.dll or hksdll.dll.. It also drops a Trojan horse into infected systems to scan for passwords, log-in names and credit card information. It attempts to e-mail what it finds, along with IP addresses, back to the virus creator.

Deleting the above files can manually destroy Badtrans. Updating security patches prevents accidental execution by selecting its e-mail vector for deletion.

The GCN Lab tested antivirus programs from McAfee.com Corp. of Sunnyvale, Calif., Symantec Corp. of Cupertino, Calif., and Trend Micro Inc. of Tokyo on Badtrans-infected computers. All the programs required the latest updates to be effective. A free Web virus scanner at www.housecall.antivirus.com can detect Badtrans but not clean it without download of a 30-day trial version of Trend Micro's PC-cillin.

Last week a similar worm called Goner began making the rounds. Less dangerous than Badtrans, Goner works only if a user runs an attached .exe file disguised as a screen saver.