Home & Office

British trojan launches weekend attack

A new version of a mass-mailing worm is using Outlook to spread rapidly; it drops Trojans onto infected PCs that can be used to steal passwords and bank account details
Written by Wendy McAuliffe, Contributor

A new variant of a mass-mailing Internet worm has been spreading rapidly over the weekend and is reported to be reaching the epidemic levels of SirCam, according to British antivirus companies.

The "B" variant of the W32/Badtrans@MM virus has been attacking home and corporate PCs installed with Microsoft Outlook. It has initially been categorised as a medium risk, but is expected to reach high-risk levels by the end of Monday.

"All affected domains that we have detected have been home user ISPs (Internet Service Providers) -- it looks like the worm is gestating in the fertile ground of the home user base, but corporate users will be coming into work today and setting it off on business networks," said Mark Sunner, chief technology officer at antivirus company MessageLabs.

Since 10 am on Monday morning, MessageLabs has been detecting 100 instances of the worm passing through its servers each minute. On an average day, 10,000 viruses will be intercepted by Messagelabs at an Internet level, but Sunner expects more than 30,000 reports today, with 10,000 attributable to W32/Badtrans-B.

The "B" variant, which is though to have originated from Britain, combines a mass-mailing mechanism with a Remote-Access Trojan (RAT). RATs allow remote control over a machine, with the user having no idea that they have been infected. In this case, the RAT is dropped into the Windows directory, which attempts to email the victim's IP address to the virus' author and allows to author to access the PC and steal passwords and other sensitive information. The trojan also contains a keylogger program makes a record of the keystrokes, potentially capturing other vital information such as credit card and bank account numbers.

The worm arrives as an email attachment with a bogus extension that is 13,312 bytes in length. It spreads through Microsoft Outlook by replying to any unread emails in an infected user's inbox.

"Because it isn't using a security exploit but rather Microsoft Outlook to spread, people are just as vulnerable to infection as they were with Melissa and Loveletter, if they have no protection in place," said David Emm, product and marketing manager for antivirus company McAfee AVERT.

The original Badtrans worm was detected on 11 April by McAfee AVERT. Computers installed with Microsoft Outlook can protect themselves against the new variant by running a standard antivirus update.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards