Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
DateApril 2001
OriginPoland (?)
Programming LanguageC++
PlatformMicrosoft Windows 32-bit
File Type.EXE, .PIF, .SCR
This box: view  talk  edit

Badtrans is an email worm from 2001. Similar to the Nimda worm, Badtrans uses an exploit in Microsoft's Outlook email program, that gives it the ability to launch itself from the preview pane.

Badtrans likely gets its name from the message "File data corrupt: probably due to a bad data transmission or bad disk access."

The FBI demanded access to the database containing the passwords and private communications that Badtrans collected, demanding access to the 22 email addresses the worm sent keylogged data to. This worried some civil libertarians, who noted that the FBI could not have obtained most if any of the information by legal means. In addition, only four days before the breakout of Badtrans, the FBI had revealed that it was developing its own keystroke logger, Magic Lantern. At least one email service, MonkeyBrains.net did not comply completely, rather placing a database publicly on the internet (with some of the more vital information such as passwords removed).

In two incidents a little more than two months apart, BTopenworld became infected with the worm and spread to customers. The company quickly responded to the situation, giving explanations and apologies, with a cleanup coming shortly thereafter.

Astrologer Anne Massey believes the worm's name is of some cosmic significance.

Badtrans was the fastest spreading worm seen at the time of its appearance.


Badtrans arrives in an email with many possible spoofed sender lines. The sender line may be one collected from SMTP information on the computer it came from or from 15 possible sender lines contained inside the worm. It can launch itself from the preview pane in Microsoft Outlook, but must be downloaded and executed for other email clients. The attachment is 29,020 bytes long.

When Badtrans is executed, it copies itself to the Windows system folder as Kernel32.exe and (in Windows 95, 98 and ME) registers itself as a sevice process. It also drops a key log file Cp_25389.nls and the key logger, Kdll.dll in the system folder. The worm displays a dialog box titled, "WinZip Self-eXtractor," which reads, "File data corrupt: probably due to a bad data transmission or bad disk access."

The worm checks for an open window with the title beginning with the following sets of letters: LOG, PAS, REM, CON, TER, NET (obviously to check for the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork, and it also looks for Russian versions of these words). If these words are found, keylogging is enabled for 60 seconds. After Badtrans pilfers keystrokes the data is sent back to one of 22 email addresses (this is according to the FBI—leading anti-virus vendors have only reported seventeen email addresses):

  • ZVDOHYIK@yahoo.com
  • udtzqccc@yahoo.com
  • DTCELACB@yahoo.com
  • I1MCH2TH@yahoo.com
  • WPADJQ12@yahoo.com
  • smr@eurosport.com
  • bgnd2@canada.com
  • muwripa@fairesuivre.com
  • eccles@ballsy.net
  • S_Mentis@mail-x-change.com
  • YJPFJTGZ@excite.com
  • JGQZCD@excite.com
  • XHZJ3@excite.com
  • OZUNYLRL@excite.com
  • tsnlqd@excite.com
  • cxkawog@krovatka.net
  • ssdn@myrealbox.com
  • suck_my_prick@ijustgotfired.com (this is one of the email addresses not reported by antivirus companies)

After 20 seconds, the worm shuts down if the appropriate control bit is set.

If RAS (Remote Access Service) support is present on the computer, then the worm waits for an active RAS connection. When a RAS connection is made, there is a 33% chance that the worm searches for email addresses in *.ht* and *.asp files in the Personal and Internet Explorer Cache directories. If it finds addresses in these files, then it sends mail to those addresses using the victim's SMTP server. If this server is unavailable, the worm will choose from a list of its own.

If the worm finds SMTP information on the infected computer, it will generate a sender line in the email it sends to the next victim. Otherwise, the "From:" line will be one of these:

  • "Mary L. Adams" <mary@c-com.net>
  • "Monika Prado" <monika@telia.com>
  • "Support" <support@cyberramp.net>
  • " Admin" <admin@gte.net>
  • " Administrator" <administrator@border.net>
  • "JESSICA BENAVIDES" <jessica@aol.com>
  • "Joanna" <joanna@mail.utexas.edu>
  • "Mon S" <spiderroll@hotmail.com>
  • "Linda" <lgonzal@hotmail.com>
  • " Andy" <andy@hweb-media.com>
  • "Kelly Andersen" <Gravity49@aol.com>
  • "Tina" <tina0828@yahoo.com>
  • "Rita Tulliani" <powerpuff@videotron.ca>
  • " Anna" <aizzo@home.com>

The attachment name in the sent email will be one of these chosen randomly by the worm:

  • Pics
  • images
  • New_Napster_Site
  • news_doc
  • YOU_are_FAT!
  • stuff
  • Card
  • Me_nude
  • Sorry_about_yesterday
  • info
  • docs
  • Humor
  • fun

The worm will use MAPI to find unread email and reply to it. The subject line of these emails will be "Re:" and the attachment will be one of these:

  • PICS
  • New_Napster_Site
  • CARD
  • Sorry_about_yesterday
  • DOCS
  • FUN

The worm also appends two extensions to each attachment. The first of these will be .doc, .mp3 or .zip. The second will be .pif or .scr.

The worm writes email addresses to the Protocol.dll file in the system folder to prevent multiple emails to the same person. Additionally, the underscore ( _ ) character is prepended to the sender's email address, which prevents replying to infected mails to warn the sender. Badtrans can overload computers because it does not check for copies of itself on the newly-infected computer. Because the worm sends itself as a reply to unanswered emails, it is also possible for two copies of the worm to be on two computers and perpetually send copies back and forth between the two.

After sending the mail, the worm adds the value "Kernel32 = kernel32.exe" to the local machine registry key which ensures the worm will run once the next time Windows is restarted.


  • ALWIL (Avast!): Win32:Badtrans
  • Avira: Worm/BadTrans.1
  • CA: Win32.Badtrans.29020
  • ClamAV: Worm.BadTrans.1
  • Doctor Web: Win32.HLLW.Badtrans
  • Eset: Win32/Badtrans.13312
  • FRISK (F-Prot): W32/Badtrans.A
  • F-Secure: W32/Badtrans.B@mm
  • Grisoft: I-Worm/BadTrans
  • Kaspersky Lab: I-Worm.BadtransII, Email-Worm.Win32.Badtrans.a
  • McAfee: W32/BadTrans@MM
  • Norman: Badtrans.B@mm
  • Panda: W32/Badtrans.B
  • RAV: Win32/Badtrans.A@mm
  • SOFTWIN (BitDefender): I-Worm.Badtrans
  • Sophos: W32/Badtrans-B
  • Symantec (Norton): W32.Badtrans.gen@mm
  • Trend Micro: WORM_BADTRANS.B
  • Vexira: Badtrans.B