When executed, Win32/Badtrans may copy itself to the Windows directory or System directory and will set itself to run when Windows starts.
It will try to register itself as a service process so that it doesn't appear in Task Manager on Windows 95, Windows 98, or Windows ME.
Win32/Badtrans may try to propagate by sending itself as an attachment in reply to previously received E-mails on an infected computer and/or by searching certain files on the infected computer for E-mail addresses. The attachment filenames vary amongst variants, but will always end in ".pif" or ".scr".
Win32/Badtrans logs keystrokes to an encrypted file on disk and may E-mail that file to the malware author.