W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed.
The format of the MIME headers in an email containing W32/BadTrans attempts to exploit a vulnerability in Internet Explorer where certain MIME types can cause arbitrary code to be executed. For more information, including patch information, see
On systems that are patched for this vulnerability, the user may
receive a confirmation message asking whether or not to execute the
attachment. Running the attachment on these systems will
The filename in the email attachment of a W32/BadTrans infected email varies from message to message but always has two file extensions. By default, Windows may hide the true file extension from the user, as discussed in
When the malicious program is executed, a copy is written as "Kernel32.exe" in the Windows directory.
C:\WINDOWS\Kernel32.exe MD5 checksum = 0bf5eaeed25da53f85086767bcd86e5e Filesize = 29020 bytes
Kernel32.exe is executed and the originally executed file attachment is deleted from the system. Kernel32.exe may run as a system service on some versions of Windows, causing it to not be visible in the default system task list provided by Microsoft.
Kernel32.exe writes two additional files to disk in the Windows system directory.
C:\WINDOWS\SYSTEM\kdll.dll MD5 checksum = c7ceb9fb63edc7fb7c7767f899ff5491 Filesize = 5632 bytes C:\WINDOWS\SYSTEM\cp_25389.nls MD5 checksum = varies Filesize = varies
Reports indicate the "kdll.dll" file contains routines to record a user's keystrokes on the infected computer. The "cp_25389.nls" file contains logged keystrokes in encrypted form. Some reports indicate the contents of the log file are sent via email to a particular destination potentially causing sensitive information to be exposed.
Kernel32.exe sets a registry key to insure it is restarted when the computer restarts.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32 = "kernel32.exe"
While running, Kernel32.exe checks this registry value approximately every 10 seconds to insure that it is set.
Reports indicate that W32/BadTrans sends copies of itself via email to addresses found in unanswered email or in files found on the computer system. Email messages generated and sent by W32/BadTrans have some identifiable characteristics.
Mime-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_===="
--====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="filename.ext.ext" Content-Transfer-Encoding: base64 Content-ID:
Some reports in public forums indicate that a backdoor is installed by W32/BadTrans, however the CERT/CC has been unable to confirm these reports in our own analysis.
During propagation, sites may experience residual denial-of-service conditions on hosts or email systems through which the worm is sent.
If you are running a vulnerable version of Internet Explorer (IE),
the CERT/CC recommends upgrading to at least version 5.0 since older
versions are no longer officially maintained by Microsoft. Users of
IE 5.0 and above are encouraged to apply patch for the "Automatic
Execution of Embedded MIME Types" vulnerability available from
Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027
It is important for users to update their anti-virus software. Most antivirus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific antivirus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.
The W32/BadTrans worm may arrive as an email attachment with a filename such as "file.ext1.ext2". Users should not open attachments of this nature. If an attachment of this type absolutely needs to be opened, the CERT/CC recommends exercising care to handle it in a way that allows it to be scanned for malicious code prior to execution.
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to email@example.com with the following text included in the subject line: "[CERT#26210]".
In addition to these specific vendors, you may wish to visit the CERT/CC's computer virus resources page located at