Content

W32/Bizex.worm

Type
Virus
SubType
Internet Worm
Discovery Date
02/24/2004
Length
Varies
Minimum DAT
4328 (02/25/2004)
Updated DAT
4328 (02/25/2004)
Minimum Engine
5.1.00
Description Added
02/24/2004
Description Modified
02/25/2004 4:33 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update 24th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.infoworld.com/article/04/02/24/HNbizexworm_1.html

This worm spreads by sending a hyperlink to contacts via the ICQ messaging program.

Stealthing

Once running on the victim machine, the worm hides the SYSMON folder (see below) and its contents. The Registry key added to hook system startup is also hidden. It is not possible to view the Registry key, SYSMON folder or its contained files via Regedit, or Windows Explorer.

Because of this, a rescan may be required after detection of the dropped DLLs. Please see the Removal Instructions for more information.

Propagation Mechanism

This worm consists of multiple components. The propagation mechanism starts with the user clicking on a link received via a ICQ message. Users should block access to the following domain:

w w w. (remove this) jokeworld. b i z

When the page is viewed, a CHM file is downloaded to the victim machine as MEINE.SCM (13,502 bytes). The SCM file extension is associated with ICQ sound scheme files. By default, ICQ will place the sound file included with the SCM file (STARTUP.WAV in this case) in a known location on disk.

Next a vulnerability in the showhelp() function within Microsoft Internet Explorer is exploited in order to execute a HTML file within the CHM (IEF*CKER.HTML 14,103 bytes). This HTML file contains code to drop a PE file to the startup folder of the victim machine as WINUPDATE.EXE (4,650 bytes). For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
  • C:\Windows\Start Menu\Programs\Startup\WinUpdate.exe

This file is a downloader, which downloads the main worm binary (86,528 bytes) from a remote server. The worm is downloaded to the temporary folder as APTGETUPD.EXE, for example:

  • C:\WINDOWS\TEMP\APTGETUPD.EXE (86,528 bytes)

When run, this file installs itself as SYSMON.EXE onto the victim machine, within a SYSMON folder in the Windows system directory, for example:

  • C:\WINNT\SYSTEM32\SYSMON\SYSMON.EXE

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "sysmon" =  C:\WINNT\SYSTEM32\SYSMON.EXE

As noted above, the worm hides this Registry key, the SYSMON folder (and its contents) when it is running.

Two DLL librarys are dropped to the Windows system directory. These are part of the worm's data theft component:

  • %System%\JAVA32.DLL (163,840 bytes)
  • %System%\JAVAEXT.DLL (98,304 bytes)

Keystrokes for various web sessions (those related to various financial services) are logged. JAVA32.DLL bears strong similarities to the DLL used by BackDoor-CAY  (it is detected as W32/Bizex.worm.dll with the specified engine/DATs). JAVAEXT.DLL is detected as W32/Bizex.worm.dll also with the specified engine/DATs.

The password stealing component targets specific Internet Explorer Windows:

  • Acceso a Banca por Internet
  • Accueil Bred.fr > Espace Bred.fr
  • Banamex.com
  • baNK
  • Banque
  • Banque en ligne
  • Barclaycard Merchant Services
  • Collegamento a Scrigno
  • Commercial Electronic Office Sign On
  • Credit Lyonnais interacti
  • CyberMUT
  • E*TRADE Log On
  • e-gold Account Access
  • Home Page Banca Intesa
  • LloydsTSB online - Welcome
  • Merchant Administration American Express UK - Personal Finance
  • Page d'accueil
  • Secure User Area
  • SUNCORP METWAY
  • Tous les produits et services
  • VeriSign Partner Manager
  • VeriSign Personal Trust Service
  • Wells Fargo - Small Business Home Page

Additionally, keystrokes for HTTPS sessions related to the following are logged:

  • login.yahoo.com
  • .passport.

Logged data is written to the following files:

  • ~PASS.LOG
  • ~KEY.LOG
  • ~POST.LOG

Symptoms

Presence of the files and Registry keys detailed above. As noted above however, when the worm is running neither the SYSMON folder (plus its contents) or Registry hook are visible (using Windows Explorer and Regedit).

The dropper JAVA32.DLL and JAVAEXT.DLL files are not stealthed, and both would be visible on an infected machine. If a scan shows these two detections, initiate another on-demand scan for detection and removal of the worm.

Method of Infection

This worm spreads via sending a URL link to the ICQ contacts list. An ICQ exploit coupled with an Internet Explorer exploit (MS03-040) is used by the hacker to install the worm when the page is viewed.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Stealthing - cleaning may require a rescan:

Once running on the victim machine, this worm uses stealthing to hide itself. The SYSMON folder (within %SysDir%) and its contents remain hidden whilst the worm is running.

The two keylogging/spy DLLs that are dropped (JAVAEXT.DLL and JAVA32.DLL) will still be detected whilst the worm is running. Upon cleaning with the specified engine/DATs they will be deleted, and the main worm process terminated. A subsequent rescan may be necessary for detection and cleaning of SYSMON.EXE.

If the above procedure is followed, modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Bizex.worm.dll
  • Worm.Win32.Bizex (AVP)

Characteristics

Characteristics -

-- Update 24th February, 2004--
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.infoworld.com/article/04/02/24/HNbizexworm_1.html

This worm spreads by sending a hyperlink to contacts via the ICQ messaging program.

Stealthing

Once running on the victim machine, the worm hides the SYSMON folder (see below) and its contents. The Registry key added to hook system startup is also hidden. It is not possible to view the Registry key, SYSMON folder or its contained files via Regedit, or Windows Explorer.

Because of this, a rescan may be required after detection of the dropped DLLs. Please see the Removal Instructions for more information.

Propagation Mechanism

This worm consists of multiple components. The propagation mechanism starts with the user clicking on a link received via a ICQ message. Users should block access to the following domain:

w w w. (remove this) jokeworld. b i z

When the page is viewed, a CHM file is downloaded to the victim machine as MEINE.SCM (13,502 bytes). The SCM file extension is associated with ICQ sound scheme files. By default, ICQ will place the sound file included with the SCM file (STARTUP.WAV in this case) in a known location on disk.

Next a vulnerability in the showhelp() function within Microsoft Internet Explorer is exploited in order to execute a HTML file within the CHM (IEF*CKER.HTML 14,103 bytes). This HTML file contains code to drop a PE file to the startup folder of the victim machine as WINUPDATE.EXE (4,650 bytes). For example:

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
  • C:\Windows\Start Menu\Programs\Startup\WinUpdate.exe

This file is a downloader, which downloads the main worm binary (86,528 bytes) from a remote server. The worm is downloaded to the temporary folder as APTGETUPD.EXE, for example:

  • C:\WINDOWS\TEMP\APTGETUPD.EXE (86,528 bytes)

When run, this file installs itself as SYSMON.EXE onto the victim machine, within a SYSMON folder in the Windows system directory, for example:

  • C:\WINNT\SYSTEM32\SYSMON\SYSMON.EXE

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "sysmon" =  C:\WINNT\SYSTEM32\SYSMON.EXE

As noted above, the worm hides this Registry key, the SYSMON folder (and its contents) when it is running.

Two DLL librarys are dropped to the Windows system directory. These are part of the worm's data theft component:

  • %System%\JAVA32.DLL (163,840 bytes)
  • %System%\JAVAEXT.DLL (98,304 bytes)

Keystrokes for various web sessions (those related to various financial services) are logged. JAVA32.DLL bears strong similarities to the DLL used by BackDoor-CAY  (it is detected as W32/Bizex.worm.dll with the specified engine/DATs). JAVAEXT.DLL is detected as W32/Bizex.worm.dll also with the specified engine/DATs.

The password stealing component targets specific Internet Explorer Windows:

  • Acceso a Banca por Internet
  • Accueil Bred.fr > Espace Bred.fr
  • Banamex.com
  • baNK
  • Banque
  • Banque en ligne
  • Barclaycard Merchant Services
  • Collegamento a Scrigno
  • Commercial Electronic Office Sign On
  • Credit Lyonnais interacti
  • CyberMUT
  • E*TRADE Log On
  • e-gold Account Access
  • Home Page Banca Intesa
  • LloydsTSB online - Welcome
  • Merchant Administration American Express UK - Personal Finance
  • Page d'accueil
  • Secure User Area
  • SUNCORP METWAY
  • Tous les produits et services
  • VeriSign Partner Manager
  • VeriSign Personal Trust Service
  • Wells Fargo - Small Business Home Page

Additionally, keystrokes for HTTPS sessions related to the following are logged:

  • login.yahoo.com
  • .passport.

Logged data is written to the following files:

  • ~PASS.LOG
  • ~KEY.LOG
  • ~POST.LOG

Symptoms

Symptoms -

Presence of the files and Registry keys detailed above. As noted above however, when the worm is running neither the SYSMON folder (plus its contents) or Registry hook are visible (using Windows Explorer and Regedit).

The dropper JAVA32.DLL and JAVAEXT.DLL files are not stealthed, and both would be visible on an infected machine. If a scan shows these two detections, initiate another on-demand scan for detection and removal of the worm.

Method of Infection

Method of Infection -

This worm spreads via sending a URL link to the ICQ contacts list. An ICQ exploit coupled with an Internet Explorer exploit (MS03-040) is used by the hacker to install the worm when the page is viewed.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Stealthing - cleaning may require a rescan:

Once running on the victim machine, this worm uses stealthing to hide itself. The SYSMON folder (within %SysDir%) and its contents remain hidden whilst the worm is running.

The two keylogging/spy DLLs that are dropped (JAVAEXT.DLL and JAVA32.DLL) will still be detected whilst the worm is running. Upon cleaning with the specified engine/DATs they will be deleted, and the main worm process terminated. A subsequent rescan may be necessary for detection and cleaning of SYSMON.EXE.

If the above procedure is followed, modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A