'Badtrans' worm picks up speed
By Daniel Sieberg
(CNN) -- An Internet worm that leaves a backdoor for hackers and allows them to record keystrokes spread rapidly Monday, officials of several antivirus companies said.
The worm, called "Badtrans.b," is a variant of an earlier identified worm and sends itself out through versions of Microsoft's Outlook and Outlook Express e-mail programs.
It was reported to have infected thousands of computers in the United States and Europe by late afternoon on Monday and was continuing to propagate. To date, security firm MessageLabs said it has captured more than 13,000 copies of the worm.
"The fact that this worm can log private details through key strokes has huge implications for personal and corporate confidentiality and underlines the recent advances in virus writing techniques," said Andy Faris, president of MessageLabs Americas.
Faris said home users are the most susceptible to Badtrans since most corporations can stop it at the Internet gateway.
What troubles security experts most is that if users are viewing e-mail in the preview pane of Outlook, the worm can be spawned without even clicking on an attachment. Double-clicking on the attachment will also launch it.
"It's certainly not on the scale of 'Love Letter' or even 'Sircam.' But the way it exploded over the last two days, it's certainly in the Top 5 Internet worms for this year," said April Goostree, virus research manager at antivirus firm McAfee.
Once Badtrans is launched, it begins distributing files on the infected user's machine and installs the backdoor program, giving a potential hacker remote access. The damaging payload also drops a "keylogger" program that records everything a person types -- a means to steal credit card information and passwords.
Goostree said the keystroke data was being sent to a Web site that has subsequently been shut down. She said it was unclear how many people may have had access to it, and she was also not aware of any reports of people's information being stolen to date.
The social engineering of Badtrans is equally nefarious: It arrives in the recipient's in-box with a "Re:" subject line that appears to be a response to an e-mail actually sent by the user.
It then sends itself out to all unread messages in a person's inbox. This e-mailing process will not begin until the computer has been rebooted, Goostree said.
A variety of extensions may appear on the attachment, such as .zip, .doc and .mp3.
According to technicians at antivirus company Symantec, the list of possible attachment file names can include:
"It really hit over our Thanksgiving weekend," said Sharon Ruckman, senior director of Symantec's security response team. "We saw instances of this in Europe on Saturday."
Ruckman said that because of the high number of submissions on Monday, Symantec has increased its threat-ranking of the worm from 3 to 4, out of a possible 5.
"People need to make sure the security patches on their computer are updated and they have the latest antivirus software," said Ruckman.
Record year for security breaks expected
November 26, 2001
'Badtrans' worm leaves backdoors, logs data
November 26, 2001
Instant-messaging tool for hackers poses a threat
November 26, 2001
New 'Nimda' variant hits Net, users urged to patch
November 1, 2001
Nimda needs harsh disinfectant
September 26, 2001
Companies examine cyber-security
September 21, 2001
Viruses are getting faster, tougher
September 20, 2001
Patch from Microsoft site
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
TECHNOLOGY TOP STORIES:
Report: SUVs pose danger to cars
New telemarketer tool trumps TeleZapper
Terra Lycos logs $2.2B loss
AOL to offer song downloads
Microsoft seeks fiscal fountain of youth
|Back to the top|