BadTrans virus fails to spread

A virus that monitors a PC's network connections and sends itself in response to any incoming e-mail has apparently failed to spread, despite, or because of, warnings issued by several major antivirus software makers.

A virus that monitors a PC's network connections and sends itself in response to any incoming e-mail has apparently failed to spread, despite, or because of, warnings issued by several major antivirus software makers.

"We initially gave it a medium rating, but we expect to downgrade that today," Susan Orbuch, spokeswoman for antivirus company Trend Micro, said Friday.

Though several of Trend Micro's customers reported receiving e-mailed copies of the virus, only three companies were actually infected, Orbuch said.

The mass-mailing worm, known as W32/BadTrans, appears attached to an e-mail message either as a screensaver (.scr) or Windows shortcut (.pif) file, with any one of a variety of names, including Card, docs, hamster, humor and 12 others.

If opened, the worm first displays a dialog box titled, "WinZip Self-eXtractor," which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." Then the worm will install a backdoor program, compromising the computer's security, and mail the victim's IP address to the virus writer.

The worm also replies to all incoming e-mail messages, attaching itself to the outgoing message. The new message will have the same subject line and message body as the original e-mail, and the sender will be the victim's username.

While it has some of the makings of a successful mass-mailer, BadTrans has effectively fizzled out, said Vincent Gullotto, director of Network Associates' antivirus emergency response team.

On Thursday the company received only 10 reports of the worm, he said. "There is a possibility that it was a bit more prevalent in the U.K. and Europe," he said. "But we consider it to be a low threat."

Symantec's Web site rated the virus as a 3 out of 5, with less than 50 infections to date.

The failure of the virus to spread may not mean that people are getting smarter in the use of e-mail.

According to Trend Micro's research team, the virus had several technical problems.

"Not every version of the virus is working," said Trend Micro's Orbuch.

In addition, an attempt by the virus writer to make the worm not respond to e-mails from other infected computers was flawed. Two or more infected computers in a company result in a spam war of messages bouncing back and forth, which makes the worm extremely visible, Orbuch said.