W32/Bizex-A

Discussion in 'malware problems & news' started by Marianna, Feb 24, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    W32/Bizex.worm, Worm.Win32.Bizex

    Type
    Win32 worm

    Description
    W32/Bizex-A is a worm which propagates over ICQ.
    The worm appears as an ICQ message prompting the user to visit a website hosted on www.jokeworld.com. The web page downloads a file to the user's computer as startup.wav and runs the file.
    Startup.wav contains a script which creates the file WinUpdate.exe in the startup folder. When Windows is next started WinUpdate.exe attempts to download a file named updater.exe to the Windows temp folder as aptgetupd.exe. Aptgetupd.exe is the main component of W32/Bizex-A. The worm copies itself to the sysmon subfolder of the Windows system folder as a file named sysmon.exe and adds the following registry entry to ensure that the worm is run each time Windows starts up:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysmon

    W32/Bizex-A also drops the following DLL files in the Windows system folder
    icw_socket.dll, ICQ2003Decrypt.dll, java32.dll and javaext.dll.
    The DLL files are used to send ICQ messages to people on the infected user's contact list and to monitor user activity.

    W32/Bizex-A monitors user activity and logs keystrokes associated with the following windows:

    Acceso a Banca por Internet
    Accueil Bred.fr > Espace Bred.fr
    American Express UK - Personal Finance
    Banamex.com
    baNK
    Banque
    Banque en ligne
    Barclaycard Merchant Services
    Collegamento a Scrigno
    Commercial Electronic Office Sign On
    Credit Lyonnais interacti
    CyberMUT
    e-gold Account Access
    E*TRADE Log On
    Home Page Banca Intesa
    LloydsTSB online - Welcome
    Merchant Administration
    Page d'accueil
    Secure User Area
    SUNCORP METWAY
    Tous les produits et services
    VeriSign Partner Manager
    VeriSign Personal Trust Service
    Wells Fargo - Small Business Home Page

    Logged information is sent via FTP to a remote server.


    http://www.sophos.com/virusinfo/analyses/w32bizexa.html
     
    Marianna, Feb 24, 2004
    #1
  2. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Nice to see the AV people finally caught it.

    See http://www.wilderssecurity.com/showthread.php?t=22602;start=msg134802#msg134802

    and you will see that it was already spreading some 24 hours before that.
     
    JayK, Feb 25, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...