W32/Bezilom-A

Name: W32/Bezilom-A
Aliases: Win32.HLLW.Bezilom.dr
Type: Win32 worm
Date: 21 February 2002

At the time of writing Sophos has received just one report of this worm from the wild.

Description:

W32/Bezilom-A is a worm which spreads by copying itself to floppy disks (if a floppy disk is present in the drive when the worm is active in memory).

The original sample was received as an executable file
containing a scrap object file with three objects embedded in it: a JPG image file and two executable files.

When the executable file is run it drops and opens the scrap object file. This in turn opens the JPG and executes the two EXE files. The first EXE file is copied into the Windows folder with the filename Maria.doc.exe. The file attributes are set to hidden.

The worm then changes the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StartUp

so that this file runs on Windows startup.

The second EXE file creates a hidden directory
C:\Program Files\MacroSoftBL and copies itself into that
directory with the filename MacroSoftBL.exe. It then changes the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MacroSoft

so that this program runs on Windows startup.

When the machine is restarted both programs will therefore be active in memory.

Maria.doc.exe attempts to hide all launched Windows so it appears that no programs can be launched. It also tries to copy itself to drive A:. It then copies itself to the root directory of drive C: with a random filename and overwrites C:\autoexec.bat with a version which attempts to run the randomly named file.

MacroSoftBL.exe pretends to be an anti-virus program which has detected a virus. The program displays several messages with instruction on where to send money to get a "full" version of the program so that the virus can be removed from the machine.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32beziloma.html