Results 1 to 3 of 3

Thread: ya gotta give a guy credit for tryin

  1. #1
    Senior Member
    Join Date
    Jan 2002

    Talking ya gotta give a guy credit for tryin

    this is waaaay too funny...see you get this virus...and when it runs it hides all windows except for one...which tells you that you have a virus...and where to go to pay the virus writer to "register" the virus...

    you can register for small or full version...small is for "resolving current problem"...full is for resolving complex problem with FREE update"...

    ok...that may be the funniest thing i have ever seen ....

    hehe...great for a friday...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    I am a cracker
    Virus Name Risk Assessment
    W32/Bezilom.worm Low That bitch is bad !

    Yes I cut and paste!
    Virus Information
    Discovery Date: 02/21/2002
    Origin: Croatia
    Length: dropper - 143,360 bytes
    Type: Virus
    SubType: worm
    Minimum Dat: 4188
    Minimum Engine: 4.1.50
    DAT Release Date: 02/27/2002
    Description Added: 02/21/2002
    Description Modified: 02/22/2002 8:27 AM (PT)

    Description Menu
    Virus Characteristics
    Method Of Infection
    Removal Instructions
    Variants / Aliases
    Rate this page
    Print This Page

    Virus Characteristics
    At the time of writing, AVERT has only received a single field report of W32/Bezilom.worm.

    This worm (written in Visual Basic 6) arrives in the form of a dropper and is multi-component in nature. When executed the dropper displays a pornographic image (JPG), as well as installing and executing the other worm components:

    MARIA.DOC multiple spaces .EXE - Trojan to simulate infected machine
    MACROSOFTBT.EXE - fake anti-virus scanner
    When executed, MARIA.DOC.EXE copies itself to the root of C: with a random name (hidden file attribute set), and also to %windir% as MARIA.DOC .EXE. It overwrites AUTOEXEC.BAT with a single line pointing to C:\random name.exe. This process is repeated at each bootup, leading to an accumulation of copies of the worm. The following Registry key is set to ensure the worm is run at system startup:

    \CurrentVersion\Run "Startup" = %windir%\MARIA.DOC.EXE
    When the second component is run, it creates the (hidden) directory 'MacrosoftBL' in the 'Program Files' directory, and copies itself there (as MACROSOFTBL.EXE, hidden file attributes). The following Registry key is set to ensure the fake anti-virus scanner is executed at system startup:

    \CurrentVersion\Run "Macrosoft" = c:\program files\_
    Upon rebooting, both components are therefore active in memory. After a number of reboots (reproducibly 3 in testing), MARIA.DOC.EXE causes all launched windows to be hidden (except MacrosoftBL windows), in order to mimick a virus infection. The second component MacrosoftBL then triggers a virus infection:

    Following the link to registration details, a form detailing how to pay is displayed (certain details have been removed):

    This worm (and its dropper) is detected by the indicated DATs. The Registry hooks employed by the worm are removed, however manual removal of the following Registry keys is required:

    \CurrentVersion\Start "RegRes1" = 01, 00, 00, 00
    \CurrentVersion\Start "REGWord" = 01, 00, 00, 00
    Both these keys are added by the worm, and can be removed safely.

    Top of Page

    The presence of the following:

    %windir%\maria.doc many spaces .exe
    c:\program files\MacrosoftBL\MacrosoftBL.exe
    c:\<random name>.exe (28,672 bytes)
    the existence of a MacrosoftBL icon in the systray
    NB: the dropped files have the hidden file attribute set.

    Top of Page

    Method Of Infection
    The worm arrives in the form of a single executable file with a JPEG icon. It is in fact a dropper. When executed, in addition to a pornographic image being displayed, the two worm components are executed.

    Top of Page

    Removal Instructions
    All Users:
    Use specified engine and DAT files for detection and removal.
    Additional Windows ME Info:
    NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

    Disabling the Restore Utility

    1. Right click the My Computer icon on the Desktop.
    2. Click on the Performance Tab.
    3. Click on the File System button.
    4. Click on the Troubleshooting Tab.
    5. Put a check mark next to "Disable System Restore".
    6. Click the Apply button.
    7. Click the Close button.
    8. Click the Close button again.
    9. You will be prompted to restart the computer. Click Yes.
    NOTE: The Restore Utility will now be disabled.
    10. Restart the computer in Safe Mode.
    11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
    12. After removing the desired files, restart the computer normally.
    NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

    Top of Page

    Name Type Sub Type Differences

    Top of Page

    Win32.HLLW.Bezilom (AVP)

    Top of Page

  3. #3
    Now that's funny...the sad part is that if it ever gets beyond its current level of one infection, I'll lay odds that I'll have a client call up all upset that they paid their money and they are not fixed.

    Would love to play with that fix, think just maybe it's not clean?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts