Skip to main content /TECH with /TECH

'Badtrans' worm picks up speed

By Daniel Sieberg
CNN Sci-Tech

(CNN) -- An Internet worm that leaves a backdoor for hackers and allows them to record keystrokes spread rapidly Monday, officials of several antivirus companies said.

The worm, called "Badtrans.b," is a variant of an earlier identified worm and sends itself out through versions of Microsoft's Outlook and Outlook Express e-mail programs.

It was reported to have infected thousands of computers in the United States and Europe by late afternoon on Monday and was continuing to propagate. To date, security firm MessageLabs said it has captured more than 13,000 copies of the worm.

"The fact that this worm can log private details through key strokes has huge implications for personal and corporate confidentiality and underlines the recent advances in virus writing techniques," said Andy Faris, president of MessageLabs Americas.

Faris said home users are the most susceptible to Badtrans since most corporations can stop it at the Internet gateway.

What troubles security experts most is that if users are viewing e-mail in the preview pane of Outlook, the worm can be spawned without even clicking on an attachment. Double-clicking on the attachment will also launch it.

"It's certainly not on the scale of 'Love Letter' or even 'Sircam.' But the way it exploded over the last two days, it's certainly in the Top 5 Internet worms for this year," said April Goostree, virus research manager at antivirus firm McAfee.

Once Badtrans is launched, it begins distributing files on the infected user's machine and installs the backdoor program, giving a potential hacker remote access. The damaging payload also drops a "keylogger" program that records everything a person types -- a means to steal credit card information and passwords.

Goostree said the keystroke data was being sent to a Web site that has subsequently been shut down. She said it was unclear how many people may have had access to it, and she was also not aware of any reports of people's information being stolen to date.

Social engineering

The social engineering of Badtrans is equally nefarious: It arrives in the recipient's in-box with a "Re:" subject line that appears to be a response to an e-mail actually sent by the user.

It then sends itself out to all unread messages in a person's inbox. This e-mailing process will not begin until the computer has been rebooted, Goostree said.

A variety of extensions may appear on the attachment, such as .zip, .doc and .mp3.

According to technicians at antivirus company Symantec, the list of possible attachment file names can include:

• Humor
• docs
• s3msong
• Me_nude
• Card
• SearchURL
• YOU_are_FAT!
• news_doc
• images
• smPics

"It really hit over our Thanksgiving weekend," said Sharon Ruckman, senior director of Symantec's security response team. "We saw instances of this in Europe on Saturday."

Ruckman said that because of the high number of submissions on Monday, Symantec has increased its threat-ranking of the worm from 3 to 4, out of a possible 5.

"People need to make sure the security patches on their computer are updated and they have the latest antivirus software," said Ruckman.


• Patch from Microsoft site
• MessageLabs
• Symantec
• McAfee

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top