Badtrans
Badtrans
Type Mass-mailer worm
Creator
Date Discovered 2001.04
Place of Origin Poland
Source Language C++
Platform MS Windows
File Type(s) .exe, .pif, .scr
Infection Length
Reported Costs

Badtrans is an email worm from 2001. Similar to the Nimda worm, Badtrans uses an exploit in Microsoft's Outlook email program, that gives it the ability to launch itself from the preview pane.

Behavior

Badtrans arrives in an email with many possible spoofed sender lines. The sender line may be one collected from SMTP information on the computer it came from or from 15 possible sender lines contained inside the worm. It can launch itself from the preview pane in Microsoft Outlook, but must be downloaded and executed for other email clients. The attachment is 29,020 bytes long.

When Badtrans is executed, it copies itself to the Windows system folder as Kernel32.exe and (in Windows 95, 98 and ME) registers itself as a sevice process. It also drops a key log file Cp_25389.nls and the key logger, Kdll.dll in the system folder. The worm displays a dialog box titled, "WinZip Self-eXtractor," which reads, "File data corrupt: probably due to a bad data transmission or bad disk access."

The worm checks for an open window with the title beginning with the following sets of letters: LOG, PAS, REM, CON, TER, NET (obviously to check for the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork, and it also looks for Russian versions of these words). If these words are found, keylogging is enabled for 60 seconds. After Badtrans pilfers keystrokes the data is sent back to one of 22 email addresses (this is according to the FBI— leading anti-virus vendors have only reported seventeen email addresses):

  • moc.oohay|KIYHODVZ#moc.oohay|KIYHODVZ
  • moc.oohay|cccqztdu#moc.oohay|cccqztdu
  • moc.oohay|BCALECTD#moc.oohay|BCALECTD
  • moc.oohay|HT2HCM1I#moc.oohay|HT2HCM1I
  • moc.oohay|21QJDAPW#moc.oohay|21QJDAPW
  • moc.tropsorue|rms#moc.tropsorue|rms
  • moc.adanac|2dngb#moc.adanac|2dngb
  • moc.erviuseriaf|apirwum#moc.erviuseriaf|apirwum
  • ten.ysllab|selcce#ten.ysllab|selcce
  • moc.egnahc-x-liam|sitneM_S#moc.egnahc-x-liam|sitneM_S
  • moc.eticxe|ZGTJFPJY#moc.eticxe|ZGTJFPJY
  • moc.eticxe|DCZQGJ#moc.eticxe|DCZQGJ
  • moc.eticxe|3JZHX#moc.eticxe|3JZHX
  • moc.eticxe|LRLYNUZO#moc.eticxe|LRLYNUZO
  • moc.eticxe|dqlnst#moc.eticxe|dqlnst
  • ten.aktavork|gowakxc#ten.aktavork|gowakxc
  • moc.xoblaerym|ndss#moc.xoblaerym|ndss
  • moc.deriftogtsuji|kcirp_ym_kcus#moc.deriftogtsuji|kcirp_ym_kcus (this is one of the email addresses not reported by antivirus companies)

After 20 seconds, the worm shuts down if the appropriate control bit is set.

If RAS (Remote Access Service) support is present on the computer, then the worm waits for an active RAS connection. When a RAS connection is made, there is a 33% chance that the worm will search for email addresses in *.ht* and *.asp files in the Personal and Internet Explorer Cache directories. If it finds addresses in these files, then it sends mail to those addresses using the victim's SMTP server. If this server is unavailable, the worm will choose from a list of its own.

If the worm finds SMTP information on the infected computer, it will generate a sender line in the email it sends to the next victim. Otherwise, the "From:" line will be one of these:

  • "Mary L. Adams" <ten.moc-c|yram#ten.moc-c|yram>
  • "Monika Prado" <moc.ailet|akinom#moc.ailet|akinom>
  • "Support" <ten.pmarrebyc|troppus#ten.pmarrebyc|troppus>
  • " Admin" <ten.etg|nimda#ten.etg|nimda>
  • " Administrator" <ten.redrob|rotartsinimda#ten.redrob|rotartsinimda>
  • "JESSICA BENAVIDES" <moc.loa|acissej#moc.loa|acissej>
  • "Joanna" <ude.saxetu.liam|annaoj#ude.saxetu.liam|annaoj>
  • "Mon S" <moc.liamtoh|llorredips#moc.liamtoh|llorredips>
  • "Linda" <moc.liamtoh|laznogl#moc.liamtoh|laznogl>
  • " Andy" <moc.aidem-bewh|ydna#moc.aidem-bewh|ydna>
  • "Kelly Andersen" <moc.loa|94ytivarG#moc.loa|94ytivarG>
  • "Tina" <moc.oohay|8280anit#moc.oohay|8280anit>
  • "Rita Tulliani" <ac.nortoediv|ffuprewop#ac.nortoediv|ffuprewop>
  • "JUDY" <MOC.LOA|172BUJUJ#MOC.LOA|172BUJUJ>
  • " Anna" <moc.emoh|ozzia#moc.emoh|ozzia>

The attachment name in the sent email will be one of these chosen randomly by the worm:

  • Pics
  • images
  • README
  • New_Napster_Site
  • news_doc
  • HAMSTER
  • YOU_are_FAT!
  • stuff
  • SETUP
  • Card
  • Me_nude
  • Sorry_about_yesterday
  • info
  • docs
  • Humor
  • fun

The worm will use MAPI to find unread email and reply to it. The subject line of these emails will be "Re:" and the attachment will be one of these:

  • PICS
  • IMAGES
  • README
  • New_Napster_Site
  • NEWS_DOC
  • HAMSTER
  • YOU_ARE_FAT!
  • SEARCHURL
  • SETUP
  • CARD
  • ME_NUDE
  • Sorry_about_yesterday
  • S3MSONG
  • DOCS
  • HUMOR
  • FUN

The worm also appends two extensions to each attachment. The first of these will be .doc, .mp3 or .zip. The second will be .pif or .scr.

The worm writes email addresses to the Protocol.dll file in the system folder to prevent multiple emails to the same person. Additionally, the underscore ( _ ) character is prepended to the sender's email address, which prevents replying to infected mails to warn the sender. Badtrans can overload computers because it does not check for copies of itself on the newly-infected computer. Because the worm sends itself as a reply to unanswered emails, it is also possible for two copies of the worm to be on two computers and perpetually send copies back and forth between the two.

After sending the mail, the worm adds the value "Kernel32 = kernel32.exe" to the local machine registry key which ensures the worm will run once the next time Windows is restarted.

Effects

Badtrans was the fastest spreading worm seen at the time of its appearance.

In two incidents a little more than two months apart, the BTopenworld company became infected with the worm and it spread its customers. To BTopenworld's credit, they quickly responded to the situation, giving explanations and apologies, with a cleanup coming shortly thereafter.

The FBI's "Magic Lantern"

The FBI demanded access to the database containing the passwords and private communications that Badtrans collected, demanding access to the 22 email addresses the worm sent keylogged data to. This worried some civil libertarians, who noted that the FBI could not have obtained most if any of the information by legal means. In addition, only four days before the breakout of Badtrans, the FBI had revealed that it was developing its own keystroke logger, Magic Lantern. At least one email service, MonkeyBrains.net did not comply completely, rather placing a database publicly on the internet (with some of the more vital information such as passwords removed).

Name

Badtrans likely gets its name from the message "File data corrupt: probably due to a bad data transmission or bad disk access." Astrologer Anne Massey believes the worm's name is of some cosmic significance.

Antivirus Aliases

  • ALWIL (Avast!): Win32:Badtrans
  • Avira: Worm/BadTrans.1
  • CA: Win32.Badtrans.29020
  • ClamAV: Worm.BadTrans.1
  • Doctor Web: Win32.HLLW.Badtrans
  • Eset: Win32/Badtrans.13312
  • FRISK (F-Prot): W32/Badtrans.A
  • F-Secure: W32/Badtrans.B@mm
  • Grisoft: I-Worm/BadTrans
  • Kaspersky Lab: I-Worm.BadtransII, Email-Worm.Win32.Badtrans.a
  • McAfee: W32/BadTrans@MM
  • Norman: Badtrans.B@mm
  • Panda: W32/Badtrans.B
  • RAV: Win32/Badtrans.A@mm
  • SOFTWIN (BitDefender): I-Worm.Badtrans
  • Sophos: W32/Badtrans-B
  • Symantec (Norton): W32.Badtrans.gen@mm
  • Trend Micro: WORM_BADTRANS.B
  • Vexira: Badtrans.B

Sources

Peter Ferrie. Symantec Security Response, "W32.Badtrans.B@mm"

Mary Landesmann, About.com, Antivirus, Badtrans

John Leyden. The Register, "BTopenworld sends Trojan to subscribers", and "BTopenwoe emails virus to customers". 2001.09.24 and 2001.11.26

-. -, "BadTrans virus bites Windows users hard". 2001.11.26

Thomas C. Greene. -, FBI surveillance bonanza in BadTrans.B worm. 2001.12.18

Robert Lemos. CNet News, BadTrans virus fizzles on Good Friday. 2001.04.13

-.-, Worm hits home for the holidays. 2001.11.27

Peter Ferrie, Peter Szor. Symantec Security Response, Badtrans 2002.02 (PDF)

Golem.de, Wiedergeburt des Badtrans-Wurms (Update) 2001.11.26

-, Wurm Badtrans gefährdet E-Mail-Kommunikation 2001.04.17

BTOpenworld's Statement

MonkeyBrains Badtrans.B Database (Archived, no longer active)

FBI asks for Access to Badtrans Database

Trend Micro, WORM_BADTRANS.B.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License