Threat Description

BadAss

Details

Aliases: BadAss, IWorm_Bad_Ass, I-Worm.BadAss
Category: Malware
Type:
Platform: W32

Summary



BadAss is a worm that spreads itself via Microsoft Outlook e-mail client. The worm file is 24576 bytes long Windows EXE application written in Visual Basic. It seems to be based on Melissa worm source code - functions and sequence of commands in the BadAss code are very close to those in Melissa source code.

The worm spreads itself as a binary attachment to e-mail messages that it sends from infected system. The original attachment name is BADASS.EXE, but it is possible to rename the EXE file manually, and then it will spread itself with a new name.

When the worm file is run from infected message attachment, the worm gets control and starts its main routine. This routine displays message box and acts similar to Joke.Win.Stupid joke program. The text in the messagebox will not be shown here as it is not suitable for all audiences.

After that the worm runs its infection routine that opens the Outlook database, gets email addresses from AddressBook and sends infected messages to all the addresses found. The subject of infected messages contains the text 'Moguh..' and the message text is 'Dit is wel grappig! :-)' ('This is funny!' - in Dutch).

The worm does not send messages twice from the same computer. To avoid duplicate spreading the worm creates a special key in Windows Registry.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.








Technical Details: Eugene Kaspersky, AVP team


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More