W32/Bizex-A

Discussion in 'malware problems & news' started by Marianna, Feb 24, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    W32/Bizex.worm, Worm.Win32.Bizex

    Type
    Win32 worm

    Description
    W32/Bizex-A is a worm which propagates over ICQ.
    The worm appears as an ICQ message prompting the user to visit a website hosted on www.jokeworld.com. The web page downloads a file to the user's computer as startup.wav and runs the file.
    Startup.wav contains a script which creates the file WinUpdate.exe in the startup folder. When Windows is next started WinUpdate.exe attempts to download a file named updater.exe to the Windows temp folder as aptgetupd.exe. Aptgetupd.exe is the main component of W32/Bizex-A. The worm copies itself to the sysmon subfolder of the Windows system folder as a file named sysmon.exe and adds the following registry entry to ensure that the worm is run each time Windows starts up:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysmon

    W32/Bizex-A also drops the following DLL files in the Windows system folder
    icw_socket.dll, ICQ2003Decrypt.dll, java32.dll and javaext.dll.
    The DLL files are used to send ICQ messages to people on the infected user's contact list and to monitor user activity.

    W32/Bizex-A monitors user activity and logs keystrokes associated with the following windows:

    Acceso a Banca por Internet
    Accueil Bred.fr > Espace Bred.fr
    American Express UK - Personal Finance
    Banamex.com
    baNK
    Banque
    Banque en ligne
    Barclaycard Merchant Services
    Collegamento a Scrigno
    Commercial Electronic Office Sign On
    Credit Lyonnais interacti
    CyberMUT
    e-gold Account Access
    E*TRADE Log On
    Home Page Banca Intesa
    LloydsTSB online - Welcome
    Merchant Administration
    Page d'accueil
    Secure User Area
    SUNCORP METWAY
    Tous les produits et services
    VeriSign Partner Manager
    VeriSign Personal Trust Service
    Wells Fargo - Small Business Home Page

    Logged information is sent via FTP to a remote server.


    http://www.sophos.com/virusinfo/analyses/w32bizexa.html
     
  2. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Nice to see the AV people finally caught it.

    See http://www.wilderssecurity.com/showthread.php?t=22602;start=msg134802#msg134802

    and you will see that it was already spreading some 24 hours before that.
     
Thread Status:
Not open for further replies.