Leave bad virus be

Leave bad virus be

W32.Badtrans variants of an old 32-bit Microsoft Windows worm last month infected tens of thousands of computers.

On PCs without the latest security patches, even selecting an infected Microsoft Outlook e-mail for deletion will activate the virus. Once running, the worm replicates itself by mass-mailing to every unopened message address in the Outlook inbox.

It hides in the system directory as files named kern32.exe, kernel32.exe, kdll.dll or hksdll.dll.. It also drops a Trojan horse into infected systems to scan for passwords, log-in names and credit card information. It attempts to e-mail what it finds, along with IP addresses, back to the virus creator.

Deleting the above files can manually destroy Badtrans. Updating security patches prevents accidental execution by selecting its e-mail vector for deletion.

The GCN Lab tested antivirus programs from McAfee.com Corp. of Sunnyvale, Calif., Symantec Corp. of Cupertino, Calif., and Trend Micro Inc. of Tokyo on Badtrans-infected computers. All the programs required the latest updates to be effective. A free Web virus scanner at www.housecall.antivirus.com can detect Badtrans but not clean it without download of a 30-day trial version of Trend Micro's PC-cillin.

Last week a similar worm called Goner began making the rounds. Less dangerous than Badtrans, Goner works only if a user runs an attached .exe file disguised as a screen saver.

About the Author

John Breeden II is a freelance technology writer for GCN.

inside gcn

  • agile development (Kalakruthi/Shutterstock.com)

    CMS goes all-in on agile

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above