Variant Gives Badtrans Another Run
- By Scott Bekker
- December 03, 2001
A variant on April's Badtrans worm-trojan combination kept IT administrators hopping in the last week of November.
Reports began coming in as early as Saturday, Nov. 24 that a Badtrans.B was in the wild.
Symantec Security Response on Nov. 26 raised its threat assessment on Badtrans.B from Level 3 to Level 4 due to its high distribution in the wild. Symantec, however, noted that Badtrans.B does relatively little damage. Badtrans.B performs a mass mailing and installs a keystroke-logging trojan.
Central Command raised its virus alert status to high Nov. 27.
By the end of the month, Badtrans had accounted for half of Central Command's virus inquiries for all of November.
Microsoft Corp. responded on the Nov. 26 by posting information about the worm on its security site, in which it noted that Badtrans.B exploits a vulnerability that Redmond had patched way back in March before the first Badtrans came out.
"Unfortunately, this is a case of a known vulnerability still being successfully used today," said Steven Sundermeier, product manager at
The worm follows a trend among virus writers in removing as much user intervention as possible, Sundermeier notes. The security hole in Internet Explorer 5.01 SP1 and 5.5 SP1 that Badtrans.B exploits allows for execution of e-mail attachments when an Outlook user simply views or previews a message.
The original Badtrans was one of the more significant security problems of 2001. Sophos Inc. compiled an early list of the 10 most common viruses of 2001 last week, and Badtrans already rated ninth place.
Microsoft rates the vulnerability as a moderate security risk.
The Microsoft patch can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.