WORM_BUCHON.C mainly propagates via email. It uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine to send email without using other email applications like Outlook Express. It obtains its target email recipients from an infected system, either by searching a user's inbox, or by parsing files with certain extension names. It then mass-mails copies of itself to all harvested email addresses. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this worm drops the following files in the root directory (typically C:\): * CSRSS.BIN - a log file used by this worm * CSRSS.EXE - a component that serves as an HTTP proxy machine for downloading files from Web sites, and detected by Trend Micro as WORM_BUCHON.C This worm also creates a registry entry that allows it to run at every Windows startup. It obtains its target email recipients from an infected system, by searching an infected user's inbox, or by parsing files with the following extension names: * DAT * DBX * EML * MBX * MDB * TBB * WAB It also attempts to connect to specific DNS servers to locate its target email addresses. Using its own SMTP engine, it then mass-mails copies of itself to all harvested email addresses. The email message it sends contains the following details: From: <Spoofed> Subject: Mail Delivery failure - <Target user’s email address> Message body: If the message will not displayed automatically, you can check original in attached message.txt Failed message also saved at: www.$HOST$/inbox/security/read.asp?sessionid-%d (check attached instructions) +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com Attachment: • *.COM • *.EXE message txt<Spaces>length <malware size> bytes<Spaces>mcafee (Note: The attachment is a copy of the worm. The asterisk (*) is a wildcard character representing zero or more characters, therefore *.* represents all files and folders, and *.SYS. This worm disguises itself as the attached original message in a mail delivery failure notice, which may trick users into opening the file, thereby running this worm. If you would like to scan your computer for WORM_BUCHON.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_BUCHON.C is detected and cleaned by Trend Micro pattern file 2.345.00 and above.