Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page WORM_BUCHON.C
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old January 14th, 2005, 05:24 PM
Randy_Bell's Avatar
Randy_Bell Randy_Bell is offline
Updates Team
  
Join Date: May 2002
Location: Santa Clara, CA
Posts: 3,053
Default WORM_BUCHON.C
WORM_BUCHON.C mainly propagates via email. It uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine to send email without using other email applications like Outlook Express. It obtains its target email recipients from an infected system, either by searching a user's inbox, or by parsing files with certain extension names. It then mass-mails copies of itself to all harvested email addresses. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops the following files in the root directory (typically C:\):

* CSRSS.BIN - a log file used by this worm
* CSRSS.EXE - a component that serves as an HTTP proxy machine for downloading files from Web sites, and detected by Trend Micro as WORM_BUCHON.C

This worm also creates a registry entry that allows it to run at every Windows startup.

It obtains its target email recipients from an infected system, by searching an infected user's inbox, or by parsing files with the following extension names:

* DAT
* DBX
* EML
* MBX
* MDB
* TBB
* WAB

It also attempts to connect to specific DNS servers to locate its target email addresses. Using its own SMTP engine, it then mass-mails copies of itself to all harvested email addresses. The email message it sends contains the following details:

From: <Spoofed>
Subject: Mail Delivery failure - <Target user’s email address>
Message body:

If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.$HOST$/inbox/security/read.asp?sessionid-%d
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
Attachment:
• *.COM
• *.EXE
message txt<Spaces>length <malware size> bytes<Spaces>mcafee

(Note: The attachment is a copy of the worm. The asterisk (*) is a wildcard character representing zero or more characters, therefore *.* represents all files and folders, and *.SYS.

This worm disguises itself as the attached original message in a mail delivery failure notice, which may trick users into opening the file, thereby running this worm.

If you would like to scan your computer for WORM_BUCHON.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_BUCHON.C is detected and cleaned by Trend Micro pattern file 2.345.00 and above.
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 06:24 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums