Badtrans.B Worm Spreading Fast

A fast-spreading e-mail worm infected thousands of home users over the Thanksgiving holiday weekend and began spreading in enterprises as well early last week.

Known as Badtrans.B, the virus infects PCs through several methods, but the most troubling aspect of the new worm is its ability to install a keystroke logger and a backdoor Trojan.

Badtrans.B, a variant of the original Badtrans virus, arrives in the users in-box as an executable attachment with one of numerous names. The worm will execute if the infected message is viewed in the preview pane of older or unpatched versions of Outlook.

Once its resident on a PC, the worm replies to any unanswered messages in the users in-box and tries to send the IP address of the machine to an anonymous e-mail account.

The virus is not destructive, but it follows an all-too-familiar infection pattern that anti-virus companies say should be obsolete by now.

“Why make it easy for the virus writers? If companies had blocked files with double extensions from entering their organizations after the Love Bug in May last year, they would not have been affected by Badtrans, Sircam, Anna Kournikova, Apology and countless other e-mail-aware worms,” said Graham Cluley, senior technology consultant for Sophos plc., an anti-virus company based in Abingdon, England. “Furthermore, one of the ways this worm attacks is by exploiting a security hole in Microsoft Outlook. Its baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch.”

Badtrans.B began spreading in Europe on Friday, Nov. 23, and hit home users in the United States over that weekend, anti-virus companies said. When corporate users returned to work the following Monday and opened their e-mail, the worm picked up momentum. By early last week, MessageLabs, of Gloucester, England, which tracks virus outbreaks, had stopped more than 9,300 copies of Badtrans.B.