Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
13.312 Bytes Version A, 29.02
Worm/Badtrans makes registry entries and copies itself many times.
The worm opens all read or unread emails in Outlook or Outlook Express and sends them back with the original text and an infected attachment. The email sent can have one of the following attachments:
When the infected file is opened, the worm installs its components on the system. The worm copies itself as INETD.EXE in Windows directory. The Trojan component is copied in Windows as HKK32.EXE and executed. The Trojan moves to Windows System with the name KERN32.EXE and it installs HKSDLL.DLL in the same directory.
The worm registers in WIN.INI under Windows 9x:
Under Windows NT/2000, it makes the registry entry:
HKCU\Software\Microsoft\Windows NT\Current Version\WindowsRUN = C:\%WinDIR%\INETD.EXE
The Trojan registers with the registry entry in RunOnce:
HKLM\Software\Microsot\Windows\Current Version\RunOnce\kernel32 = kern32.exe
This entry ensures its automatic start.
To hide its activity on the infected system, the worm displays a false window with the message:
"Install error File Data corrupt Probably due to bad data transmission or bad disk access."
The worm does not send itself immediately after infection, but it waits for the next Windows start. It registers as hidden service process and waits for 5 minutes before starting its routine.
Description inserted by Crony Walker on Tuesday, June 15, 2004