A minor bug could cause global e-mail communications chaos
Cambridge, United Kingdom, April 12, 2001 - Kaspersky Lab, an international
data-security software-development company, warns computer users about the discovery
"in-the-wild" of the new multi-component Internet-worm "Badtrans."
The worm infects computers running the Windows 95/98/ME/NT/2000 operating system.
"Badtrans" is a Win32 executable file (PE EXE file) found "in-the-wild"
in compressed form, and is about 13Kb in size. Being decompressed, the worm's
size increases to about 40Kb.
The worm has a multi-component structure, and consists of three different components
that are dropped on a disk as different files and are run as stand-alone programs
(dropper component, e-mail worm and a Trojan). The worm routine is the main
component, keeping the Trojan program body in its code and installing it into
the system while infecting a new machine. The Trojan component enables a remote
user to perform unauthorized control over the infected system and steal confidential
arrives as an e-mail message with an attached file with a name randomly selected
from the name list, and contains the text: "Take a look to the attachment"
in the message body.
In addition to stealing confidential information, the worm's other danger is
its ability to paralyze the data transmission channels. Because of a minor bug,
it may send out its copy to every single unread message in the inbox folder,
even if it has been received from another infected computer.
For example, a worm at computer "A" detects an unanswered message
in the inbox folder received from infected computer "B," and sends
its copy there. In turn, computer "B" receives an infected message
and answers back and so on, reminiscent of the well-known ping-pong game where
players try throwing a ball to the other part of the field. As a result, data
traffic between two infected computers increases a thousand-fold, and in just
one hour, the worm can deliver literally thousands of infected messages.
Protection against the "Badtrans" worm has already been added to
the KasperskyTM Anti-Virus virus signature database. Please update your Kaspersky
Anti-Virus using the built-in updater or manually from http://www.kaspersky.com/updates.asp.
More details about the worm are available in the Kaspersky
Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store
or from a worldwide network of Kaspersky
Anti-Virus distributors and resellers.
Download the FREE time-limited trial version of Kaspersky Anti-Virus here.
Subscribe to Kaspersky Lab' FREE information service here.