
*** Description DECBAD16.EXE / DECBAD32.EXE ***

Copyright (c) 2001 Andreas Marx (http://www.av-test.org)
Powered by: c't (http://www.heise.de/ct)


The worm Win32/Badtrans.B creates an encrypted file
cp_25389.nls in the Windows\System directory on infected
computers, where all keystrokes will be saved, if the
worm thinks, the user will enter a password soon. Later,
the file will be send to a list of e-mail addresses.

This program has been written in order to decrypt the
input and to look what data has been send and what
damage could this mean.

Usage: Start DECBAD32 under Windows and select a file
to decrypt.


We have also written a 16 bit command-line program for
DOS, which has the same functional range.

Usage: DECBAD16 Infile [Outfile],

where Infile is the file to decrypt (usually
cp_25389.nls). If no outfile is specified, the content
will be displayed on screen. Chars lower than ASCII 32
or higher than ASCII 127 will be automatically converted
to spaces.


The program has been put under GPL and can be
distributed and used without any charge (see
copyright.txt). The complete source code can be found
in the file source.zip.


*** Exclusion of liability ***

A liability for the correctness of the data and results
given on this test cannot be taken by the authors. We do
not give any guaranty of any kind, neither explicit nor
implicit, including all guaranties of usablity or
uselessness for any kind of purpose.

We are under no circumstances liable for any
consequential damage including but not limited to capital
loss, loss of profit or other direct or indirect damage
that could arise.


### END OF FILE ###
