Threat Descriptions

BadAss

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

BadAss, IWorm_Bad_Ass, I-Worm.BadAss

Summary

BadAss is a worm that spreads itself via Microsoft Outlook email client. The worm file is 24576 bytes long Windows EXE application written in Visual Basic. It seems to be based on Melissa worm source code - functions and sequence of commands in the BadAss code are very close to those in Melissa source code.

The worm spreads itself as a binary attachment to email messages that it sends from infected system. The original attachment name is BADASS.EXE, but it is possible to rename the EXE file manually, and then it will spread itself with a new name.

When the worm file is run from infected message attachment, the worm gets control and starts its main routine. This routine displays message box and acts similar to Joke.Win.Stupid joke program. The text in the messagebox will not be shown here as it is not suitable for all audiences.

After that the worm runs its infection routine that opens the Outlook database, gets email addresses from AddressBook and sends infected messages to all the addresses found. The subject of infected messages contains the text 'Moguh..' and the message text is 'Dit is wel grappig! :-)' ('This is funny!' - in Dutch).

The worm does not send messages twice from the same computer. To avoid duplicate spreading the worm creates a special key in Windows Registry.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

N/A