Home / News & Blogs

Britain invaded by worm

Wendy McAuliffe | November 26, 2001 12:00 AM PST

Summary

The 'B' variant of the W32/Badtrans@MM virus that attacks Microsoft's Outlook ran rampant in the U.K. over the weekend and seems poised to cross the Atlantic.

Topics

Wendy McAuliffe
A new variant of a mass-mailing Internet worm has been spreading rapidly over the weekend and is reported to be reaching the epidemic levels of SirCam, according to British antivirus companies.

The "B" variant of the W32/Badtrans@MM virus has been attacking home and corporate PCs installed with Microsoft Outlook. It has initially been categorized as a medium risk, but is expected to reach high-risk levels by the end of Monday.

"All affected domains that we have detected have been home user ISPs (Internet Service Providers)--it looks like the worm is gestating in the fertile ground of the home user base, but corporate users will be coming into work today and setting it off on business networks," said Mark Sunner, chief technology officer at antivirus company MessageLabs.

Since early Monday morning, MessageLabs has been detecting 100 instances of the worm passing through its servers each minute. On an average day, 10,000 viruses will be intercepted by Messagelabs at an Internet level, but Sunner expects more than 30,000 reports today, with 10,000 attributable to W32/Badtrans-B.

The "B" variant, which is though to have originated from Britain, combines a mass-mailing mechanism with a Remote-Access Trojan (RAT). RATs allow remote control over a machine, with the user having no idea that they have been infected. In this case, the RAT is dropped into the Windows directory, which attempts to e-mail the victim's IP address to the virus' author and allows to author to access the PC and steal passwords and other sensitive information. The trojan also contains a keylogger program makes a record of the keystrokes, potentially capturing other vital information such as credit card and bank account numbers.

The worm arrives as an e-mail attachment with a bogus extension that is 13,312 bytes in length. It spreads through Microsoft Outlook by replying to any unread emails in an infected user's inbox.

"Because it isn't using a security exploit but rather Microsoft Outlook to spread, people are just as vulnerable to infection as they were with Melissa and Loveletter, if they have no protection in place," said David Emm, product and marketing manager for antivirus company McAfee AVERT.

The original Badtrans worm was detected on 11 April by McAfee AVERT. Computers installed with Microsoft Outlook can protect themselves against the new variant by running a standard antivirus update.

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity