McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Buchon.c!keylog (dropped trojan)

Characteristics

This mass-mailing worm bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests target email addresses from the victim machine
• spoofs the From: address
• drops a trojan (keylogging and proxy) to the victim machine

Mail Propagation

The worm harvests target email addresses from files on the victim machine with the following extensions:

• .dbx
• .wab
• .mbx
• .eml
• .mdb
• .tbb
• .txt
• .html
• .htm
• .doc
• .rtf
• .cgi
• .php
• .asp
• inbox
• .dat

Outgoing messagees are constructed as follows:

From: Spoofed

Subject: Mail Delivery failure - (insert target email address)

Message Body:
If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.(insert server name)/inbox/security/read.asp?
sessionid-(random number)
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

Attachment: Copy of the worm with the following filename:

• message txt (many spaces) length (random number) bytes (many spaces) mcafee.com

Symptoms

• outgoing messages matching the characteristics described above
• existence of the files and Registry key described below

Method of Infection

The worm does not install itself on the victim machine. Instead it drops and installs a trojan (keylogging and proxy). The trojan is dropped as CSRSS.EXE in the root of C:, for example:

• C:\CSRSS.EXE

The following Registry key is added to run the trojan at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
  \Run "Windowsupdate Service" = C:\CSRSS.EXE

Dropped Trojan

The trojan writes logged data to a file CSRSS.BIN, also in the root of C:

• C:\CSRSS.BIN

The trojan also looks to provide a proxy on the victim machine (HTTP). This is currently under investigation.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Buchon.c!keylog (dropped trojan)

Characteristics

Characteristics -

This mass-mailing worm bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests target email addresses from the victim machine
• spoofs the From: address
• drops a trojan (keylogging and proxy) to the victim machine

Mail Propagation

The worm harvests target email addresses from files on the victim machine with the following extensions:

• .dbx
• .wab
• .mbx
• .eml
• .mdb
• .tbb
• .txt
• .html
• .htm
• .doc
• .rtf
• .cgi
• .php
• .asp
• inbox
• .dat

Outgoing messagees are constructed as follows:

From: Spoofed

Subject: Mail Delivery failure - (insert target email address)

Message Body:
If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.(insert server name)/inbox/security/read.asp?
sessionid-(random number)
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

Attachment: Copy of the worm with the following filename:

• message txt (many spaces) length (random number) bytes (many spaces) mcafee.com

Symptoms

Symptoms -

• outgoing messages matching the characteristics described above
• existence of the files and Registry key described below

Method of Infection

Method of Infection -

The worm does not install itself on the victim machine. Instead it drops and installs a trojan (keylogging and proxy). The trojan is dropped as CSRSS.EXE in the root of C:, for example:

• C:\CSRSS.EXE

The following Registry key is added to run the trojan at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
  \Run "Windowsupdate Service" = C:\CSRSS.EXE

Dropped Trojan

The trojan writes logged data to a file CSRSS.BIN, also in the root of C:

• C:\CSRSS.BIN

The trojan also looks to provide a proxy on the victim machine (HTTP). This is currently under investigation.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A