One of the telltale signs of BadTrans infection actually arrives before you are infected. Subject lines for this virus may contain any of the following words or phrases: "fun," "Humor," "docs," "info," "Sorry_about_yesterday," "Card," "Me_nude," "SETUP," "stuff," "YOU_are_FAT!," "HAMSTER," "news_doc," "New_Napster_Site," "funPICS," "README," "S3MSONG," or just "Pics."

In addition, the extension of the attachment can be a combination of MP3, DOC, or ZIP with SCR or PIF, or just SCR or PIF, or even double extensions such as DOC.PIF, MP3.PIF, ZIP.PIF, DOC.SCR, MP3.SCR, or ZIP.SCR. As far as the message body is concerned, there is no unique identifiable message. Other telltale signs that the virus has made itself comfortable on your machine are the presence of the following files in the C:\WINDOWS or C:\WINNT directory:

•Kernel32.exe

•Cp_25389.nls

•Kdll.dll

•Protocol.dll

NOTE: Kdll.dll is the Trojan component. Protocol.dll will only appear on your system after the worm has sent infected email messages to others.

How To Get Rid Of BadTrans With Spybot Search & Destroy

Launch Spybot Search & Destroy and make sure it is up-to-date by clicking the Update button and following the on-screen instructions (this requires a live Internet connection). If the program is up-to-date, click the Search & Destroy button to automatically search for BadTrans virus files such as Kern32.exe. When Spybot Search & Destroy finds the file on your computer, it creates a listing under the Problem heading and automatically includes a check in the corresponding checkboxes. Scroll through the results to make sure the program didn't identify any legitimate programs as problems; if you find any of these, simply uncheck the corresponding checkboxes. Click the Fix Selected Problems button to have the program remove the unwanted file(s).

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin (Registry errors can render your computer inoperable if you don't have a backup). This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."

How To Get Rid Of BadTrans Manually

The first step to eliminating BadTrans is to terminate this malware program resident in your computer's memory. To do so, follow this procedure:

1. Go to the Windows Task Manager. To do this on a system running WinNT/2000/XP, press CTRL-SHIFT-ESC and select the Processes tab. To do this on a system running Win9x/Me, press CTRL-ALT-DELETE.

2. Locate and select file Kernel32.exe in the list of running programs.

3. Press End Task or End Process (either will appear depending on your Windows version).

4. Verify that you've terminated Kernel32.exe by closing Task Manager and then opening it again. Then Close the Task Manager.

NOTE: On systems running Win9x/Me, Task Manager may not show certain processes. You can use a third-party process viewer such as Mark Russinovich's Process Explorer (www.sysinternals.com; free) to detect and termi (www.sysinternals.com; free) to detect and terminate the Kernel32.exe process.

Now You'll Need To Edit The Windows Registry

1. Click Start and Run, type regedit, and press ENTER to open the Registry Editor.

2. In the left panel, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE.

3. In the right panel, delete the KERNEL32\Kernel32.exe value.

4. Close the Registry Editor.

Because this insidious worm can also add the entry C:\%WINDIR%\INETD.EXE under the RUN key of the Win.ini file (in order to execute at every Windows startup), you'll want to be sure to remove any AutoStart entries from this area of the operating system.

1. Click Start and Run, type sysedit, and press ENTER to open the System Configuration Editor.

2. Under the System Configuration Editor, select the C:\WINDOWS\WIN.INI or C:\WINNT\WIN.INI window.

3. Under the [windows] section, locate lines that begin with "load =" or "run =".

4. From either or both of these lines, delete the malware path and file name %Windows%\INETD.EXE. The %Windows% refers to the Windows directory, usually C:\WINDOWS or C:\WINNT.

5. Close System Configuration Editor and click Yes when prompted to save.

Now that you have deactivated the worm and prevented it from starting when Windows starts, the next step is to delete the actual malware files. To accomplish this, do the following:

1. Click Start, Search, and then select For Files Or Folders.

2. Search your hard drive (usually C:) for the files Inetd.exe, Kern32.exe, Hksdll.dll, Hkk32.exe, and Cp_23421.nls, by putting each file name into the Search For Files Or Folders Named field and click the Search Now button. When Windows finds the file, it will display on the right side of the dialog box. (NOTE: The names of these options might vary, depending on the Windows version you're using.)

3. Right-click the file and select Delete. If prompted to confirm your decision to delete the file, click Yes or OK.

Now that you have removed the worm, empty the Recycle Bin and restart your computer. Lastly, run up-to-date antivirus software to ensure that any remnants are removed.

by Douglas Schweitzer