Name: W32/Bezilom-A Aliases: Win32.HLLW.Bezilom.dr Type: Win32 worm Date: 21 February 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description: W32/Bezilom-A is a worm which spreads by copying itself to floppy disks (if a floppy disk is present in the drive when the worm is active in memory). The original sample was received as an executable file containing a scrap object file with three objects embedded in it: a JPG image file and two executable files. When the executable file is run it drops and opens the scrap object file. This in turn opens the JPG and executes the two EXE files. The first EXE file is copied into the Windows folder with the filename Maria.doc.exe. The file attributes are set to hidden. The worm then changes the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StartUp so that this file runs on Windows startup. The second EXE file creates a hidden directory C:\Program Files\MacroSoftBL and copies itself into that directory with the filename MacroSoftBL.exe. It then changes the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MacroSoft so that this program runs on Windows startup. When the machine is restarted both programs will therefore be active in memory. Maria.doc.exe attempts to hide all launched Windows so it appears that no programs can be launched. It also tries to copy itself to drive A:. It then copies itself to the root directory of drive C: with a random filename and overwrites C:\autoexec.bat with a version which attempts to run the randomly named file. MacroSoftBL.exe pretends to be an anti-virus program which has detected a virus. The program displays several messages with instruction on where to send money to get a "full" version of the program so that the virus can be removed from the machine. Read the analysis at http://www.sophos.com/virusinfo/analyses/w32beziloma.html