¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32/BadTrans@MM
Type:Worm 
Size:13.312 Bytes Version A, 29.02 
Origin: 
Date:04-26-2001 
Damage:Worm/Badtrans makes registry entries and copies itself many times. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Medium 

DistributionThe worm opens all read or unread emails in Outlook or Outlook Express and sends them back with the original text and an infected attachment. The email sent can have one of the following attachments:
images.pif
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
Pics.ZIP.scr
README.TXT.pif
new_Napster_Site.DOC.scr
S3msong.MP3.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Humor.TXT.pif
fun.pif
Sorry_about_yesterday.DOC.pif
docs.scr

Technical DetailsWhen the infected file is opened, the worm installs its components on the system. The worm copies itself as INETD.EXE in Windows directory. The Trojan component is copied in Windows as HKK32.EXE and executed. The Trojan moves to Windows System with the name KERN32.EXE and it installs HKSDLL.DLL in the same directory.
The worm registers in WIN.INI under Windows 9x:
run=C:\%WinDIR%\INETD.EXE

Under Windows NT/2000, it makes the registry entry:
HKCU\Software\Microsoft\Windows NT\Current Version\WindowsRUN = C:\%WinDIR%\INETD.EXE

The Trojan registers with the registry entry in RunOnce:
HKLM\Software\Microsot\Windows\Current Version\RunOnce\kernel32 = kern32.exe
This entry ensures its automatic start.

To hide its activity on the infected system, the worm displays a false window with the message:
"Install error File Data corrupt Probably due to bad data transmission or bad disk access."

The worm does not send itself immediately after infection, but it waits for the next Windows start. It registers as hidden service process and waits for 5 minutes before starting its routine.
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.