Subject: AVX News for 04/12/2001 - Virus Alert - I-Worm.Badtrans 

Date: Thursday, April 12, 2001 8:55 PM





AVX.COM Newsletter  



Central Command - Without us, there's no defense.



You are receiving this newsletter because you subscribed to the AVX.COM

newsletter at http://www.avx.com. This is an open-subscription

mailing list. If you do not want to receive this newsletter please see

the bottom of this message for instructions on how to remove your

e-mail address from this mailing list.



Virus Protection for the Real World.



If you suspect a virus infection you can download a free time limted,

fully functional trial version of AVX Professional antivirus

software from http://www.avx.com



Visit AVX.COM online http://www.avx.com





 

This worm can be detected using AVX Professional, please update 

daily!  



Manually removing an infection from your computer can put your data 

at risk for damage that may or may not be recoverable. Central 

Command strongly recommends that you backup all of your data prior 

to attempting to remove an infection or repair any damage causes by 

an infection.  



Details: 



Name: I-Worm.Badtrans 

Alias: W32.Badtrans.13312@mm 

Detection added : April 12, 2001 

Spread Method : Via E-Mail (A copy of the worm will be sent as a 

reply message to all unread emails in the users Inbox folder)  



Description:



Worm part: When the attachment is executed the worm drops the 

trojan "hkk32.exe" into the Windows folder and executes itself. A 

copy of worm is created under the file name inetd.exe in Windows 

folder. The following line is added to "win.ini" in [windows] 

section: run=c:\windows\inetd.exe.  



This line actually runs the worm every time windows load. After it 

finishes running its rountine, the worm will display the following 

error box:  



The worm will arrive with one of the following filenames:  



New_Napster_Site.DOC.scr Pics.ZIP.scr images.pif README.TXT.pif 

news_doc.scr searchURL.scr SETUP.pif Card.pif hamster.ZIP.scr 

YOU_are_FAT!.TXT.pif Me_nude.AVI.pif Sorry_about_yesterday.DOC.pif 

s3msong.MP3.pif Humor.TXT.pif fun.pif docs.scr  







Central Command, Inc. respects your online privacy. You at anytime

can easily remove your e-mail address from the AVX-News mailing list

by sending an e-mail message To: avx-news-request@avx-listserver.com

and in the body of the message include the following replacing

"e-mail@domain.com" with your e-mail address.



unsubscribe avx-news e-mail@domain.com



You will receive a confirmation message about your successful

removal from AVX-News.



IF YOU ARE NOT ABLE TO REMOVE YOUR E-MAIL ADDRESS USING THE ABOVE

METHOD PLEASE SEND AN E-MAIL MESSAGE TO REMOVE@AVX.COM AND REQUEST

TO BE REMOVED MANUALLY.



Central Command, PerfectSupport, EVRT, Emergency Virus Response

Team, Virus Protection for the Real World, Without us, there's

no defense. are trademarks of Central Command Inc. AVX and

AntiVirus eXpert are trademarks of Softwin SRL, Romania. All

other trademarks, trade name and product names are property of

their respective owners. Copyright (C) 2000 Central Command Inc.

All rights reserved.