1. /
  2. Security Response/
  3. W32.Badtrans.B@mm

W32.Badtrans.B@mm - Removal

Risk Level 2: Low

Discovered:
November 24, 2001
Updated:
February 13, 2007 11:37:49 AM
Also Known As:
I-Worm.BadtransII [KAV], Badtrans.B@mm [Norman], W32/Badtrans.B [Panda], WORM_BADTRANS.B [Trend], W32/Badtrans-B [Sophos], W32/Badtrans.B@mm [F-Secure], W32/BadTrans@MM [McAfee], Win32.Badtrans.29020 [CA], Worm/Badtrans.B [Vexira]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-2001-0154

The preferred way to remove this worm is to use the W32.Badtrans.B@mm Removal Tool. If for any reason you cannot obtain the tool, you must remove the worm manually.

Manual removal

An online tutorial on how to manually remove W32.Badtrans.B@mm is available here.

To remove this worm manually, you must first remove the worm files and then reverse the change that it made to the registry.

Remove the worm files
Follow the instructions for your version of Windows.

Windows 95/98/Me/2000/XP
Because the worm file may be in use, you must in most cases restart in Safe mode before Norton AntiVirus can delete it.

CAUTION: For Windows Me or Windows XP users only. If you are running Windows Me or Windows XP, follow the instructions in the section System Restore option in Windows Me or System Restore option in Windows XP that is located at the end of this document before you begin the removal procedure.
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Restart the computer in Safe Mode. For instructions on how to do this, read the document for your operating system:
  3. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  4. Run a full system scan.
  5. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delete them.
  6. When the scan is finished, go on to the section Edit the registry.

Windows NT
Because the worm file may be in use, you must in most cases End Process on it before Norton AntiVirus can delete it.
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Press Ctrl+Alt+Delete one time.
  3. Click Task Manager.
  4. Click the Processes tab.
  5. Click the "Image Name" column header two times to sort the processes alphabetically.
  6. Scroll through the list and look for Kernel32.exe. If you find the file, click it and then click End Process.
  7. Close the Task Manager.
  8. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  9. Run a full system scan.
  10. Write down the names of any files that are detected as W32.Badtrans.B@mm, and then delete them.
  11. When the scan is finished, go on to the section Edit the registry.

Edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  4. In the right pane, delete the following value:

    Kernel32   kernel32.exe

    CAUTION: The reference to Kernel32 is the most common value that is added by the worm, but it is not the only one possible. In some cases, it may not be there. In addition to looking for and deleting this value, you must also look for values that refer to any file names that were detected as infected by this worm when you ran the full system scan. All such values must be deleted.
  5. Click Registry, and then click Exit.
  6. Restart the computer.
  7. To make sure that all files have been removed, start Norton AntiVirus and run another full system scan.

Quarantined files
If you have quarantined files when they were detected by Norton AntiVirus, rather then deleting them, read the document What to do after you quarantined a file.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.
Writeup By: Peter Ferrie

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver