"Badtrans" Can Paralyze Data Transmission Channels

12 Apr 2001
Virus News

A minor bug could cause global e-mail communications chaos

Cambridge, United Kingdom, April 12, 2001 - Kaspersky Lab, an international data-security software-development company, warns computer users about the discovery "in-the-wild" of the new multi-component Internet-worm "Badtrans."

The worm infects computers running the Windows 95/98/ME/NT/2000 operating system. "Badtrans" is a Win32 executable file (PE EXE file) found "in-the-wild" in compressed form, and is about 13Kb in size. Being decompressed, the worm's size increases to about 40Kb.

The worm has a multi-component structure, and consists of three different components that are dropped on a disk as different files and are run as stand-alone programs (dropper component, e-mail worm and a Trojan). The worm routine is the main component, keeping the Trojan program body in its code and installing it into the system while infecting a new machine. The Trojan component enables a remote user to perform unauthorized control over the infected system and steal confidential information.

"Badtrans" arrives as an e-mail message with an attached file with a name randomly selected from the name list, and contains the text: "Take a look to the attachment" in the message body.

In addition to stealing confidential information, the worm's other danger is its ability to paralyze the data transmission channels. Because of a minor bug, it may send out its copy to every single unread message in the inbox folder, even if it has been received from another infected computer.

For example, a worm at computer "A" detects an unanswered message in the inbox folder received from infected computer "B," and sends its copy there. In turn, computer "B" receives an infected message and answers back and so on, reminiscent of the well-known ping-pong game where players try throwing a ball to the other part of the field. As a result, data traffic between two infected computers increases a thousand-fold, and in just one hour, the worm can deliver literally thousands of infected messages.

Protection against the "Badtrans" worm has already been added to the KasperskyTM Anti-Virus virus signature database. Please update your Kaspersky Anti-Virus using the built-in updater or manually from http://www.kaspersky.com/updates.asp.

More details about the worm are available in the Kaspersky Virus Encyclopedia.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.

Download the FREE time-limited trial version of Kaspersky Anti-Virus here.

Subscribe to Kaspersky Lab' FREE information service here.