Badtrans-B: a wake-up call for a sensible anti-virus policy, says Sophos

November 26, 2001 Sophos Press Release

Sophos, a world leader in corporate anti-virus protection, has urged companies once again to review whether they are doing enough to stop malicious code from entering their organisations in the wake of the new Badtrans-B worm (aka W32/Badtrans-B).

Sophos has received many reports of Badtrans-B circulating in the wild and is calling for users to implement simple safe computing procedures - such as keeping their anti-virus software up-to-date, deploying security patches from Microsoft and blocking attachments with double extensions.

"Why make it easy for the virus writers? If companies had blocked files with double extensions from entering their organisation after the Love Bug in May 2000 they would not have been affected by Badtrans, Sircam, Anna Kournikova, Apology and countless other email-aware worms," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Furthermore, one of the ways this worm attacks is by exploiting a security hole in Microsoft Outlook. It's baffling to find that even though Microsoft secured that hole eight months ago, many users have still not applied the patch."

Badtrans-B is an email aware worm that uses a known exploit in certain versions of Microsoft Outlook Express 5 in order to launch the attached file automatically. The name of the attached file is randomly generated (using names like YOU_ARE_FAT!.DOC.pif and ME_NUDE.MP3.scr), but is easily spotted by its double extension.

If the attached file is run, the worm copies itself into the Windows system directory and runs the next time Windows is started. The worm also drops a Trojan horse (Troj/PWS-AV) which can steal passwords and confidential information.

Sophos Anti-Virus has issued an update which protects against Badtrans-B.

Sophos recommends users of Microsoft products consider subscribing to Microsoft's security bulletin notification mailing list. Details on how to do this are described on Microsoft's website.