-
February 23rd, 2002, 12:26 AM
#1
-
February 23rd, 2002, 12:43 AM
#2
Virus Name Risk Assessment
W32/Bezilom.worm Low That bitch is bad !
Yes I cut and paste!
Virus Information
Discovery Date: 02/21/2002
Origin: Croatia
Length: dropper - 143,360 bytes
Type: Virus
SubType: worm
Minimum Dat: 4188
Minimum Engine: 4.1.50
DAT Release Date: 02/27/2002
Description Added: 02/21/2002
Description Modified: 02/22/2002 8:27 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate this page
Print This Page
Virus Characteristics
At the time of writing, AVERT has only received a single field report of W32/Bezilom.worm.
This worm (written in Visual Basic 6) arrives in the form of a dropper and is multi-component in nature. When executed the dropper displays a pornographic image (JPG), as well as installing and executing the other worm components:
MARIA.DOC multiple spaces .EXE - Trojan to simulate infected machine
MACROSOFTBT.EXE - fake anti-virus scanner
When executed, MARIA.DOC.EXE copies itself to the root of C: with a random name (hidden file attribute set), and also to %windir% as MARIA.DOC .EXE. It overwrites AUTOEXEC.BAT with a single line pointing to C:\random name.exe. This process is repeated at each bootup, leading to an accumulation of copies of the worm. The following Registry key is set to ensure the worm is run at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_
\CurrentVersion\Run "Startup" = %windir%\MARIA.DOC.EXE
When the second component is run, it creates the (hidden) directory 'MacrosoftBL' in the 'Program Files' directory, and copies itself there (as MACROSOFTBL.EXE, hidden file attributes). The following Registry key is set to ensure the fake anti-virus scanner is executed at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_
\CurrentVersion\Run "Macrosoft" = c:\program files\_
MacrosoftBL\MACROSOFTBL.EXE
Upon rebooting, both components are therefore active in memory. After a number of reboots (reproducibly 3 in testing), MARIA.DOC.EXE causes all launched windows to be hidden (except MacrosoftBL windows), in order to mimick a virus infection. The second component MacrosoftBL then triggers a virus infection:
Following the link to registration details, a form detailing how to pay is displayed (certain details have been removed):
This worm (and its dropper) is detected by the indicated DATs. The Registry hooks employed by the worm are removed, however manual removal of the following Registry keys is required:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_
\CurrentVersion\Start "RegRes1" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows_
\CurrentVersion\Start "REGWord" = 01, 00, 00, 00
Both these keys are added by the worm, and can be removed safely.
Top of Page
Symptoms
The presence of the following:
%windir%\maria.doc many spaces .exe
c:\program files\MacrosoftBL\MacrosoftBL.exe
c:\<random name>.exe (28,672 bytes)
the existence of a MacrosoftBL icon in the systray
NB: the dropped files have the hidden file attribute set.
Top of Page
Method Of Infection
The worm arrives in the form of a single executable file with a JPEG icon. It is in fact a dropper. When executed, in addition to a pornographic image being displayed, the two worm components are executed.
Top of Page
Removal Instructions
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
Win32.HLLW.Bezilom (AVP)
Top of Page
-
February 23rd, 2002, 01:53 AM
#3
Now that's funny...the sad part is that if it ever gets beyond its current level of one infection, I'll lay odds that I'll have a client call up all upset that they paid their money and they are not fixed.
Would love to play with that fix, think just maybe it's not clean?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|