"I-Worm.Badtrans" Removal Utility

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Translated versions available: en Français, in het Nederlands and Deutsch


Main Menu

Click here for BadTrans.B removal The fix on this page below only works for BadTrans.A Instructions For Removing I-Worm.Badtrans   - Developed by Axel Pettinger and Andrew Lee Please make sure you read these instructions fully before proceeding.

Instructions for Windows 95/98 (untested on ME, but may work) Download the file  rembadtrans.zip   (zipped archive containing a batch file called rembadtrans.bat) Unzip to a local directory Run the file "REMBADTRANS.BAT" Follow the instructions carefully! Reboot your machine when prompted You should now change your passwords since they may have been made known to others.

Instructions for Windows NT/2000 For Windows NT and 2000 the procedure is slightly more complicated. Download the file  rembadtransNT.zip   (zipped archive containing a batch file called rembadtransNT.bat) Unzip to a local directory Press "CTRL-ALT-DEL" and select "Taskmanager" Select the "Processes" Tab Highlight the Process "INETD.EXE" and click "End Process" You will be prompted to continue, say OK to the message. If there is a process "KERN32.EXE" running, do the same for that Check the list again, neither INETD.EXE or KERN32.EXE should be listed Now run the file "REMBADTRANSNT.BAT" Follow the instructions carefully! Reboot your machine You should now change your passwords since they may have been made known to others.

It would be a good Idea to scan your machine regularly with an Anti-Virus scanner. Analysis of the W32/Badtrans@MM Internet Worm & Backdoor Trojan. (Much thanks must go to Axel Pettinger, who was invaluable in providing technical assistance with this analysis) The Badtrans worm arrives as an attachment in Email. This is the list of common file names that it is known to use. Card.pif docs.scr fun.pif hamster.ZIP.scr Humor.TXT.pif images.pif New_Napster_Site.DOC.scr news_doc.scr Me_nude.AVI.pif Pics.ZIP.scr README.TXT.pif s3msong.MP3.pif searchURL.scr SETUP.pif Sorry_about_yesterday.DOC.pif YOU_are_FAT!.TXT.pif The file is always the same size : File size = 13312 bytes Checksum =70447E72 It should be noted that files arriving in email with these names is not necessarily an indication that the file contains the BADTRANS malware, as it is known to share file names with other malware, particularly W32/MTX@MM virus. On execution a message box is displayed as below. This is a fake message intended to allay any user suspicion, the display of this message indicates that the malware has run and dropped its payloads. (Note that at least one vendor has a slightly different error box displayed, the reason for this is not known) There are two payloads, a Backdoor/Keylogger Trojan and a Massmail routine. Initial execution of the executable attachment drops a Trojan component named HKK32.EXE into the %windir% directory. (Note that Badtrans will infect Win9x and NT machines). It creates a copy of itself as a file named INETD.EXE in the %windir% directory, then it adds to the "run=" of WIN.INI for Windows 9x or a key to the registry for NT/2000. This ensures that the worm becomes memory resident (and reinfects if components are missing) with every restart. These changes are detailed below by OS: Win9x/Me: {Win.ini} [windows] run=c:\WINDOWS\INETD.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"kernel32=kern32.exe" WINNT/2000: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"kernel32=kern32.exe" HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\"Run=C:\WINNT\INETD.EXE" (Note, some sites erroneously state that this second key is in the HKEY_USERS hive on WinNT/2000, this is not the case) HKK32.EXE writes a copy of itself called KERN32.EXE, to the %SysDir%, executes it and terminates. KERN32.EXE writes CP_23421.NLS and the keylogger Trojan DLL "HKSDLL.EXE", both in %SysDir%. HKK32.EXE is then deleted. KERN32.EXE checks every 23 seconds for the existence of the key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32.exe" This means that removal of this registry key is not necessarily an effective method of removing this malware, and if it has been removed it will be rewritten. After the next reboot INETD.EXE runs and again creates the HKK32.EXE file, which replaces the "old" KERN32.EXE with itself, so that the latter will always have a newer time stamp, this also means that the registry key will be rewritten effectively ensuring that is does not disappear from the "RunOnce" Key. INETD.EXE is a copy of the full program, so it essentially reinfects in the above manner every time it is run. The time stamp of INETD.EXE and HKSDLL.DLL does not change. INETD.EXE stays active and hidden in memory for 5 minutes, then it uses MAPI to search for unread emails, it then attempts to email itself by replying to the unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the listed filenames. The Trojan will also attempt to mail the victim's IP Address to the malware author. Once this information is obtained, the author can connect to the infected system via the Internet and information such as usernames, and passwords which have been logged by the keylogger. Removal of the malware fully will require removal of : C:\%WINDIR%\INETD.EXE, file size = 13,312 bytes, Checksum = 70447E72 C:\%WINDIR%\system32\hksdll.dll, file size = 5,632 bytes, Checksum = FC293F1A C:\%WINDIR%\system32\KERN32.EXE, file size = 21,882 bytes Checksum = D56605A3 It is also worth removing the logger file C:\%WINDIR%\system32\cp_23421.nls In Windows 9x, the line C:\WINDOWS\INETD.EXE should be removed from the Win.ini file [windows] Run= In Windows NT / 2000 The "Run" key - value: "C:\WINNT\INETD.EXE" should be removed from "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\" In WindowsNT, you will need to terminate the KERN32.EXE process to be able to delete it and hksdll.dll In Windows95, you can boot to DOS and remove these files. For ease of removal you can use the utility (see above) on this Web page. Be sure to check your machine afterwards to make sure it is fully removed.

End Removal Instructions


Some of you may now be wondering...

"How can I possibly keep my computer safe from further harm?"

Answer: Click Here for Some Tips!