The following has been derived from information provided by AVP, NAI and Symantec.

Virus Characteristics

W32.Badtrans.13312@mm is a MAPI worm that replies to all unread mail in the message folders, and drops a backdoor trojan called HKK32.EXE into the Windows directory. When executed, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." It then copies itself into the Windows directory as INETD.EXE and adds a RUN= line to WIN.INI file.

The next time the machine is rebooted, the worm will wait for 5 minutes, then it will use MAPI to find all unread mail messages. It will reply to all of these and attach itself to the message as one of the following file names:

Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif

When executing, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can steal username and password information from the infected system.


Payload

It replies to all unread messages in the message folders within the default MAPI client program and drops a backdoor trojan.


Preventative Measures

Blocking all .PIF and .SCR file extensions at the mail server or gateway where possible.


Manual Removal

Delete any files detected by your AV scanner as infected.


Fixes Available

AVP: Current Daily update
Network Associates: Minimum Engine: 4.0.70, Minimum DAT: 4134 (to be release 04/18/2001)
Symantec: Current definitions, dated 04/11/2001
Trend: No information Available at time of alert.