Relaxed holiday attitudes help BadTrans worm

Update: BadTrans.B continues to spread, as users mistake it for a Christmas letter
Written by Robert Lemos, Contributor

A new computer worm that installs hacking software on infected computers hit home email users and businesses this week.

Known as BadTrans.B, the worm is spreading mainly due to people's relaxed approach to security during the holiday season, said April Goostree, virus research manager for computer security company McAfee.com. "The fact that it comes around this time makes more end-users vulnerable, because they are expecting holiday emails," she said.

Reports of the worm, a variant of the original BadTrans virus that started spreading last April, started coming in Friday night. By Saturday, Goostree said, McAfee.com had intercepted several hundred copies of the worm. On Sunday, reports of worm infections were coming in at a rate of three to five every minute.

Data provided online by email screening service UK-based MessageLabs showed the BadTrans virus accelerating quickly, with more than 700 infected email messages intercepted on Saturday and several thousand stopped on Sunday.

The numbers knocked SirCam from the No 1 slot in MessageLabs' daily rankings of the Top 10 bugs, a spot the persistent email worm has held for more than four months.

In Asia Pacific, BadTrans is proving to be less potent than last week's resurgence of Aliz (W32.Aliz.Worm), a small, 4Kb worm that can become active just by previewing the infected e-mail in Microsoft Outlook.

"Badtrans is predominantly in the US and UK, and Aliz is predominantly in Japan," observed Symantec senior South East Asia director Ross Wilson. However, he noted that there have been more submissions about BadTrans in Asia Pacific than for Aliz. Both worms have been upgraded to Level 4 (severe).

According to Wilson, there are no unique characteristics in the way these worm are spreading. "It is the speed at which the worms are spreading which is alarming. Asians are only now realising that they need to update their (virus) definitions weekly, and this may be the reason why the Aliz worm is more widespread in Asia," he explained.

Unlike the Nimda or Code Red, however, BadTrans and Aliz are easily fixed using most vendors' antivirus software. "As such, I would expect the incidence to start dropping off in the next two to three days once users update their virus definitions," said Wilson.

The worm doesn't play on the holidays, however. Aside from a handful of general names for the email attachment that spreads the worm--such as "card" and "pics"--the worm makes no overt connection to either Thanksgiving or Christmas.

While Badtrans.B is not destructive, it does install a keylogger, a program that records what a person using the infected PC types and then sends the information to the virus writer's e-mail address. The key-logging program, known as Backdoor-NK.server, focuses specifically on four software functions that are used by programs to allow a person to enter a password, so it mainly records account information entered.

The FBI is reportedly using just such a program to collect the digital keys to suspected criminals' accounts.

A PC user will first encounter the worm as an email message--possibly from someone he or she knows--with an executable attachment. The worm propagates by sending itself as a reply to any unread messages in the person's Outlook mailbox. It also sends itself to email addresses culled from images of Web pages contained in the "My Documents" folder and the browser's cache.

The virus uses a vulnerability in Microsoft's Internet Explorer 5.01 and 5.5 to automatically execute itself on PCs that don't have a patched Web browser. Opening the email in a separate window or Outlook's preview pane will cause the worm to execute on unpatched machines.

The vulnerability had also been used by the Nimda worm as one of its four ways of spreading.

"That's the vulnerability du jour," said Roger Thompson, lead antivirus researcher for security firm TruSecure.

On PCs with patched Web browsers, a dialog box will open, asking the person what to do.

While many home consumers got hit with the worm over the weekend, Thompson fears that corporations will start feeling the sting Monday.

"My main worry was that it was going so strongly over the weekend; what's going to happen when people come to work?" he said. "I don't think as many corporations are getting are patched as we might have expected."

"It looks like the worm is gestating in the fertile ground of the home-user base. But corporate users will be coming into work (Monday) and setting it off on business networks," added Mark Sunner, chief technology officer at MessageLabs.

Staff writers Michelle Tan and Wendy McAuliffe reported from Singapore and London.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards