E-mail Worm Wreaks Havoc Over Holiday Weekend

A fast-spreading e-mail worm infected thousands of home users over the long holiday weekend and began spreading in enterprises as well on Monday.

Known as Badtrans.B, the virus infects PCs through several methods, but the most troubling aspect of the new worm is its ability to install a keystroke logger and a backdoor Trojan.

Badtrans.B, which is a variant of the original Badtrans virus, arrives in the users inbox as an executable attachment with one of numerous names. The worm will execute if the infected message is viewed in the Outlook preview pane.

Once its resident on a PC, the worm replies to any unanswered messages in the users inbox and tries to send the IP address of the machine to an anonymous e-mail account.

The virus is not destructive, but it follows an all-too-familiar infection pattern that anti-virus companies say should be obsolete by now.

“Why make it easy for the virus writers? If companies had blocked files with double extensions from entering their organization after the Love Bug in May 2000, they would not have been affected by BadTrans, Sircam, Anna Kournikova, Apology and countless other email-aware worms,” said Graham Cluley, senior technology consultant for Sophos Inc., an anti-virus firm based in Abingdon, England. “Furthermore, one of the ways this worm attacks is by exploiting a security hole in Microsoft Outlook. Its baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch.”

Badtrans.B began spreading in Europe on Friday and hit home users in the U.S. over the weekend, anti-virus companies say. When corporate users returned to work Monday morning and opened their email, the worm picked up momentum.

By late Monday afternoon Message Labs Inc., which tracks virus outbreaks, had stopped more than 9,300 copies of Badtrans.B.