I-Worm.Buzill

I-Worm.Buzill

Buzill is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 30KB in length (there is also a known variant that is compressed by UPX, (the compressed size is about 16KB). The Buzill worm is written in Visual Basic.

Infected messages have the following features:


The Subject field is either empty or randomly selected from the following variants:


Body text:

Here is the file I told you about. Dont tell anybody.Shhhhhhhh

The Attachment file's name is randomly selected from the following variants:
gresge.exe slfklsbsklf.exe hsldnlg.exe
bsdkskshf.exe qewlwlef.exe qfdsdjl.exe
nlddoe.exe vdngdg.exe fsdhhgdd.exe
nfkrjhgr.exe lsjsdf.exe pqweopwrore.exe
wrretert.exe pjlfdg.exe nnbvcncld.exe
The worm activates from infected emails only if a user clicks on the attached file. If this action is taken the worm then installs itself to the system and runs its spreading routine and payload.

Installing
While installing the worm copies itself to the C:\ drive's root directory using a randomly selected name (please note the list of possible names for the file attachment above), and registers this file in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BuzzKill = %worm file name%

Spreading
To send infected messages the worm uses MS Outlook and sends infeceted messages to all the addresses found in the Outlook address book.


Payload
On February 14th the worm displays the message:

IWorm.BuzzKill
Happy Birthday Joshua!!
and proceeds to delete all the files in the root directory of the C: drive.



For more details please visit the Kaspersky Virus Encyclopedia at:
http://www.viruslist.com/eng/viruslist.html?id=58003