Badtrans Internet worm logs password keystrokes and attempts to email the log to its creator

Incident Date: September 2003
Incident Location:

An Internet worm, named Badtrans, attempts to steal passwords by installing a Trojan horse program after it infects a computer. This Trojan logs the userís keystrokes in a file named cp_25389.nls in the Windows system directory. The worm may encrypt the keystroke log. The worm then attempts to send the log to one of 22 different email accounts, located at, and other sites.

Story Sources

Title: Badtrans worm analysis
Publication: Sophos Virus Database
Publication Location: USA
Publication URL:

Do you have additional information to contribute regarding this story? If so, please email with the details and source.

<-- Back to Authentication Story Index

[Home] [About Us] [News] [Research]

Copyright © 2016