Access Services Software Help Center Policies Jobs
rss XML news file



BOL Webmail

© Bruin OnLine

12/03/2001: Badtrans Virus Warning

Many UCLA Bruin OnLine account holders have been receiving e-mails with the Badtrans virus. W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed.

This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup.

The text of infected incoming messages may look similar to the following:

  --====_ABC1234567890DEF_====
  Content-Type: multipart/alternative;
           boundary="====_ABC0987654321DEF_===="

  --====_ABC0987654321DEF_====
  Content-Type: text/html;
           charset="iso-8859-1"
  Content-Transfer-Encoding: quoted-printable


  <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
  <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
  </iframe></BODY></HTML>
  --====_ABC0987654321DEF_====--

  --====_ABC1234567890DEF_====
  Content-Type: audio/x-wav;
           name="filename.ext.ext"
  Content-Transfer-Encoding: base64
  Content-ID:

If you have received the above and have opened the attachment on a Windows computer without first having updated your DAT files, then your computer has been infected.

Bruin OnLine users should have McAfee VirusScan 4.5.1 installed on their computers and will need to update their DAT files to version at least 4168 (virus definition files). If you do not have McAfee ViruScan installed on your computer, please visit the Bruin OnLine Windows Software download page at:

http://www.bol.ucla.edu/software/win/

To update your virus definition files for McAfee VirusScan 4.5.1, double-click on the magnifying-glass icon in your taskbar. Right-click on AutoUpdate, and select Start.

Please note that you must be connected to the Internet in order for the AutoUpdate function to work properly.

Please visit the following URL for more information on the W32/Badtrans@MM virus:

http://www.mcafee.com/anti-virus/viruses/badtrans/default.asp?cid=2607

If you have any questions, please call the BOL Help Desk at (310) 825-7452, Option 1.