I-Worm.Buzill

Discussion in 'malware problems & news' started by FanJ, Nov 13, 2002.

Thread Status:
Not open for further replies.
  1. FanJ
    Online

    FanJ Guest

    I-Worm.Buzill

    Buzill is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 30KB in length (there is also a known variant that is compressed by UPX, (the compressed size is about 16KB). The Buzill worm is written in Visual Basic.

    Infected messages have the following features:


    The Subject field is either empty or randomly selected from the following variants:


    Body text:

    Here is the file I told you about. Dont tell anybody.Shhhhhhhh ;)

    The Attachment file's name is randomly selected from the following variants:
    gresge.exe slfklsbsklf.exe hsldnlg.exe
    bsdkskshf.exe qewlwlef.exe qfdsdjl.exe
    nlddoe.exe vdngdg.exe fsdhhgdd.exe
    nfkrjhgr.exe lsjsdf.exe pqweopwrore.exe
    wrretert.exe pjlfdg.exe nnbvcncld.exe
    The worm activates from infected emails only if a user clicks on the attached file. If this action is taken the worm then installs itself to the system and runs its spreading routine and payload.

    Installing
    While installing the worm copies itself to the C:\ drive's root directory using a randomly selected name (please note the list of possible names for the file attachment above), and registers this file in the system registry auto-run key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    BuzzKill = %worm file name%

    Spreading
    To send infected messages the worm uses MS Outlook and sends infeceted messages to all the addresses found in the Outlook address book.


    Payload
    On February 14th the worm displays the message:

    IWorm.BuzzKill
    Happy Birthday Joshua!!
    and proceeds to delete all the files in the root directory of the C: drive.



    For more details please visit the Kaspersky Virus Encyclopedia at:
    http://www.viruslist.com/eng/viruslist.html?id=58003
Thread Status:
Not open for further replies.