W32.Badtrans.B@mm is the name of this bad boy... for more info go to:
<A target="_blank" HREF=http://www.symantec.com>http://www.symantec.com</A>
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also creates a DLL in \Windows\System directory as Kdll.dll. It uses functions from this DLL to log keystrokes.
This worm arrives as an email with one of several attachment names and a combination of two appended extensions.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.
Prevention methods:
1. Corporate email filtering systems should block all email that have attachments with the extensions .scr and .pif.
2. Users should not open any emails with an attachment that matches the names listed above. Any email that has such an attachment should be deleted.
