MORE INFORMATION

The W32.Badtrans.13312@mm worm virus is also known as W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans, I-Worm.Badtrans, and TROJ_BADTRANS.A.

How the Virus Affects a Computer

After your computer becomes infected with the W32.Badtrans.13312@mm worm virus, you receive a dialog box that says, "File data corrupt: probably due to bad data transmission or bad disk access." If you click OK, when you next start your computer, Outlook Express waits five minutes and then automatically replies to all of the unread messages that are in the Inbox.

The virus uses one of the following names to attach itself to each of the replies:

• Pics.ZIP.scr
• images.pif
• README.txt.pif
• New_Napster_Site.doc.scr
• News_doc.scr
• Hamster.ZIP.scr
• YOU_are_FAT!.txt.pif
• searchURL.scr
• SETUP.pif
• Card.pif
• Me_nude.avi.pif
• Sorry_about_yesterday.doc.pif
• s3msong.MP3.pif
• docs.scr
• Humor.txt.pif
• fun.pif

When the W32.Badtrans.13312@mm worm virus runs, it places the "Trojan horse" file Hkk32.exe in the Windows folder and then runs the Hkk32.exe file. The virus then copies itself into the Windows folder as Inetd.exe, adds a run= line to the Win.ini file, and displays the dialog box message about "File data corrupt."

How to Remove the W32.Badtrans.13312@mm Worm Virus

To resolve this behavior, remove the worm virus. You must delete all of the files that are detected as W32.Badtrans.13312@mm, undo the changes that the virus makes to the registry, and then, if you are running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition (Me), remove the virus entry from the run= line of the Win.ini file.

Delete All W32.Badtrans.13312@mm Files

1. Click Start, click Find, and then click Files or Folders. (In Microsoft Windows 2000, click Start, click Search, and then click Files or Folders.)
2. Type W32.Badtrans.13312@mm, and then click Find Now (or in Windows 2000, click Search).
3. In the results window, delete all files that are named W32.Badtrans.13312@mm.
4. Quit the search tool.
5. Do one of the following:
   • If you are running Windows 95, Windows 98, or Windows Me, skip the rest of this set of steps and go to the next set of steps, "Edit the Registry."
   • If you are running Microsoft Windows NT 4.0 or Windows 2000, continue with this set of steps.
6. Press CTRL+ALT+DELETE, click Task Manager, and then click Processes.
7. Click Image Name twice, to sort the processes alphabetically.
8. Scroll through the list and look for the Inetd.exe file. If you find this file, click the file, and then click End Process.
9. Scroll through the list and look for the Kern32.exe file. If you find this file, click the file, and then click End Process.
10. Quit Task Manager.
11. Right-click the My Computer icon on the Windows desktop, and then click Explore.
12. Do one of the following:
    • If you are running Windows NT, click View, and then click Options.
    • If you are running Windows 2000, click Tools, and then click Folder Options.
13. Click View.
14. Do one of the following:
    • If you are running Windows NT, click Show all files, click to clear the Hide file extensions for known file types check box, and then click OK.
    • If you are running Windows 2000, click Show hidden files and folders, and then click to clear the Hide file extensions for known file types check box.
15. In the left pane of Windows Explorer, right-click drive C, and then click Find (in Windows NT) or Search (in Windows 2000).
16. In the Named box (in Windows NT) or in the Search for Files and Folders box (in Windows 2000), type (or copy and paste) the following file names: inetd.exe kern32.exe hkk32.exe hksdll.dll kdll.dll
17. Click Find Now (in Windows NT) or Search Now (in Windows 2000).
18. When the search is complete, write down the names and locations of the files that are listed.
19. On the Edit menu, click Select All.
20. Hold down SHIFT, press DELETE, and then continue to hold down SHIFT until you are prompted to confirm the deletion. Click Yes. (Holding down SHIFT while you press DELETE bypasses the Recycle Bin.)
21. Quit Windows Explorer.

Delete the Virus Value from the Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Start Registry Editor (Regedt32.exe).
2. Locate the Kernel32 KERN32.EXE value under the following key in the registry:

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

3. On the Edit menu, click Delete, and then click OK.
4. Do one of the following:
   • If you are running Windows 95, Windows 98, or Windows Me, skip the rest of this set of steps and go to the next set of steps, "Edit the Win.ini File."
   • If you are running Windows NT or Windows 2000, continue with this set of steps.
5. Locate the run path\Inetd.exe value under the following key in the registry:

   HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

6. On the Edit menu, click Delete, and then click OK.
7. Quit Registry Editor.

Remove a Line from the Win.ini File

If you are running Windows 95, Windows 98, or Windows Me, you must also remove a line from the Win.ini file:

1. Click Start, and then click Run.
2. Type edit c:\windows\win.ini, and then click OK. (If Windows is installed in some other location, make the appropriate substitution in the path.)
3. In the [windows] section, locate the run= line. It looks similar to this:

   run=c:\windows\inetd.exe

4. Remove all of the text that is to the right of the equal sign (=), so that the line now reads run=.
5. Save your changes.

How to Protect Your Computer from Viruses

To help protect your computer from computer viruses, obtain current antivirus software. Microsoft does not provide software to detect or remove computer viruses.

For additional information about antivirus software manufacturers, click the article number below to view the article in the Microsoft Knowledge Base: