Although a variant of the original BadTrans virus, existing filters and anti-virus updates will not stop this new version.
This worm arrives as an email with one of several attachment names and a combination of two appended extensions.
If executed it will mass-mail itself, probably as replies to unread messages in your inbox.
The list of possible file names is:
HUMOR
DOCS
S3MSONG
ME_NUDE
CARD
SEARCHURL
YOU_ARE_FAT!
NEWS_DOC
IMAGES
PICS
The first extension that is appended to the file name is one of the following:
.DOC
.MP3
.ZIP
The second extension that is appended to the file name is one of the following:
.pif
.scr
The resulting file name would look something like this:
CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.
When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32=kernel32.exe.
The virus makes use of the ms01-020 exploit, which means that the virus can execute on reading or previewing the email from within OutLook - it is not necessary to double click on any attachment. A patch to fix this exploit is available from Microsoft.
Previous TCS Virus Alerts: