Content

W32/Buchon.c@MM

Type
Virus
SubType
E-mail worm
Discovery Date
01/12/2005
Length
37,408 bytes (UPX)
14,848 bytes (UPX, keylogger)
Minimum DAT
4420 (01/19/2005)
Updated DAT
4900 (11/20/2006)
Minimum Engine
5.1.00
Description Added
01/12/2005
Description Modified
01/12/2005 9:52 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This mass-mailing worm bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests target email addresses from the victim machine
  • spoofs the From: address
  • drops a trojan (keylogging and proxy) to the victim machine

Mail Propagation

The worm harvests target email addresses from files on the victim machine with the following extensions:

  • .dbx
  • .wab
  • .mbx
  • .eml
  • .mdb
  • .tbb
  • .txt
  • .html
  • .htm
  • .doc
  • .rtf
  • .cgi
  • .php
  • .asp
  • inbox
  • .dat

Outgoing messagees are constructed as follows:

From: Spoofed

Subject: Mail Delivery failure - (insert target email address)

Message Body:
If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.(insert server name)/inbox/security/read.asp?
sessionid-(random number)
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

Attachment: Copy of the worm with the following filename:

  • message txt (many spaces) length (random number) bytes (many spaces) mcafee.com

Symptoms

  • outgoing messages matching the characteristics described above
  • existence of the files and Registry key described below

Method of Infection

The worm does not install itself on the victim machine. Instead it drops and installs a trojan (keylogging and proxy). The trojan is dropped as CSRSS.EXE in the root of C:, for example:

  • C:\CSRSS.EXE

The following Registry key is added to run the trojan at system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run "Windowsupdate Service" = C:\CSRSS.EXE

Dropped Trojan

The trojan writes logged data to a file CSRSS.BIN, also in the root of C:

  • C:\CSRSS.BIN

The trojan also looks to provide a proxy on the victim machine (HTTP). This is currently under investigation.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Buchon.c!keylog (dropped trojan)

Characteristics

Characteristics -

This mass-mailing worm bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests target email addresses from the victim machine
  • spoofs the From: address
  • drops a trojan (keylogging and proxy) to the victim machine

Mail Propagation

The worm harvests target email addresses from files on the victim machine with the following extensions:

  • .dbx
  • .wab
  • .mbx
  • .eml
  • .mdb
  • .tbb
  • .txt
  • .html
  • .htm
  • .doc
  • .rtf
  • .cgi
  • .php
  • .asp
  • inbox
  • .dat

Outgoing messagees are constructed as follows:

From: Spoofed

Subject: Mail Delivery failure - (insert target email address)

Message Body:
If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.(insert server name)/inbox/security/read.asp?
sessionid-(random number)
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

Attachment: Copy of the worm with the following filename:

  • message txt (many spaces) length (random number) bytes (many spaces) mcafee.com

Symptoms

Symptoms -

  • outgoing messages matching the characteristics described above
  • existence of the files and Registry key described below

Method of Infection

Method of Infection -

The worm does not install itself on the victim machine. Instead it drops and installs a trojan (keylogging and proxy). The trojan is dropped as CSRSS.EXE in the root of C:, for example:

  • C:\CSRSS.EXE

The following Registry key is added to run the trojan at system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run "Windowsupdate Service" = C:\CSRSS.EXE

Dropped Trojan

The trojan writes logged data to a file CSRSS.BIN, also in the root of C:

  • C:\CSRSS.BIN

The trojan also looks to provide a proxy on the victim machine (HTTP). This is currently under investigation.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A