Description:
I-Worm.Badtrans.B is a new variation of the Internet worm, I- Worm.Badtrans.A, a virus that spread via e-mail (a copy of the worm was sent as a reply message to all unread emails in the users Inbox folder).
The worm arrives in the following e-mail format:
Attachment line:
A randomly selected messaged built from the following list and combinations:
docs, info, Me_nude, Card, Humor, Sorry_about_yesterday YOU_are_FAT!, stuff, news_doc README, images, HAMSTER
The first extension selected will be either:
.doc or .zip or .MP3
Second extension selected will be either:
.scr or .pif
These are a couple examples of possible choosen subject lines:
Me_nude.zip.scr README.MP3.pif stuff.zip.pif
Body: (Blank)
If executed, the worm copies itself in the windows%system% directory under the filename «kernel32.exe». So that it gets run each time a user restart their computer the following registry key gets added:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnc eKernel32 =»kernel32.exe»
Removal:
Step 1.) Run a deep scan of your PC and delete any files identified as being infected with I-Worm.Badtrans.B
Step 2.) Delete the created registry key listed above
