MAIN PAGE
EUROPE
WORLD
WEATHER
BUSINESS
BIZ TRAVELLER

ENTERTAINMENT
SPECIAL REPORTS
SPORT at SI.com

SERVICES

E-MAIL SERVICES
CNN MOBILE
CNN AVANT GO
DESKTOP TICKER
ABOUT US
AD INFO

CNN TV

what's on
biz international
inside sailing
design360
the music room
show transcripts
how to get CNN TV
CNN Partner Hotels

EDITIONS

CNN.com U.S.
CNN.com Asia
CNNArabic.com
CNNEspañol.com
set your edition

'Badtrans' worm still spawns at slower pace

By Daniel Sieberg
CNN Sci-Tech

(CNN) -- A devious Internet worm that can infect a person's computer without being clicked on continued to spread throughout the globe Tuesday, though antivirus companies expect its rate of propagation to slow by the end of the week.

While most major corporations have successfully blocked the worm at Internet gateways, officials from antivirus companies estimate that "tens of thousands" of computers have been infected by "Badtrans.b" during the past several days, many of them personal and home-business PCs.

"It's still spreading at a fairly high rate, though it should start slowing by the end of the week as more users update their antivirus software," said Vincent Weafer, senior director of Symantec's security response team.

"Badtrans.b," which began spreading throughout the United States and Europe over the Thanksgiving weekend, sends itself out through Microsoft's Outlook and Outlook Express e-mail programs.

Antivirus firm MessageLabs said it has stopped thousands of copies of Badtrans from more than 90 countries, noting that the worm has also bumped the "Sircam" virus from the No. 1 spot of the company's top 10 viruses list. Sircam had held that position for four months.

McAfee also continued to rank Badtrans as a "high" threat.

Most Internet worms and viruses need a recipient to click on an attachment in order for them to execute. Badtrans is capable of spawning itself even if a user reads e-mail in the preview mode of Outlook.

The worm then begins to scatter files throughout the infected computer and installs a back-door program, capable of giving hackers access to the computer. It also contains a keylogger program capable of recording all of the user's keystrokes -- a tactic typically used to gather personal information such as credit card numbers or passwords.

Several antivirus companies say that a Hotmail e-mail account embedded in the code was established to receive this information, but at this point it appears to be shut down. Other e-mail addresses may still be active, they added.

Shape-shifter

The social engineering of Badtrans is equally nefarious: It arrives in the recipient's in-box with a "Re:" subject line that appears to be a response to an e-mail actually sent by the user.

It then sends itself out to all unread messages in a person's inbox. This e-mailing process will not begin until the computer has been rebooted.

The attachment's characteristics are dynamic and can have several extensions, such as .zip, .mp3 or .doc, and several different names including: Humor, docs, Me_nude, images, info, Card and smPics. This shape-shifting technique makes it difficult for people to recognize the e-mail as a worm since it can appear to be legitimate.

Badtrans does not appear to delete data or cause any other damage.

Badtrans.b is a variant of Badtrans.a, which appeared in April. It has many of the same characteristics, but is reportedly in a more compressed format, thus evading some antivirus detection.

If users think their computer has been infected, they need to scan for the worm and update their antivirus software, Symantec's Weafer said. He recommended that the process be done offline to stop the worm from continuing to spread during the disinfection. Microsoft is also offering a patch on its site.