Microsoft security software detects and removes this threat.
Win32/Badtrans is a mass-mailing worm that logs keystrokes on infected computers.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When executed, Win32/Badtrans may copy itself to the Windows directory or System directory and will set itself to run when Windows starts.
It will try to register itself as a service process so that it doesn't appear in Task Manager on Windows 95, Windows 98, or Windows ME.
Win32/Badtrans may try to propagate by sending itself as an attachment in reply to previously received E-mails on an infected computer and/or by searching certain files on the infected computer for E-mail addresses. The attachment filenames vary amongst variants, but will always end in ".pif" or ".scr".
Win32/Badtrans logs keystrokes to an encrypted file on disk and may E-mail that file to the malware author.


Alerts from your security software might be the only symptom.


Alert level: High
This entry was first published on: Jan 28, 2006
This entry was updated on: Jul 16, 2015

This threat is also detected as:
No known aliases