Email-Worm.Win32.Burnox

Class Email-Worm
Platform Win32
Description

Technical Details

Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through
the Kazaa file sharing network. The worm also downloads from a Web site and installs a backdoor trojan to the system.

The worm itself is a Windows PE EXE file about 4KB in size(when compressed by FSG, the decompressed
size is about 20KB) and written in VisualBasic.

Installing

While installing the worm copies itself to the Windows system directory with the
“MicrosoftUpdate.com” name and registers this file in the system registry auto-run key:

   HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun     Windows Update = %SystemDir%MicrosoftUpdate.com

where %SystemDir% is the Windows System directory path.

The worm also creates a system registry key where it keeps its counter:

   HKLMSOFTWAREMicrosoftWindowsCurrentVersion     Startup = %counter%

the %counter% is set to ‘1’, and is increased with each each worm start. Depending on this
counter the worm activates its spreading routines.

Spreading: EMail

To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the
Outlook address book.
Ifected messages have following field text:

 Subject:   Important: Microsoft Windows Patch For Xp,2k,ME,98,95.

 Body:      

   Microsoft just release this patch for all versions of Microsoft Windows.
   This update patches many of the recent vulnerabilities!
   It is recommended that you patch your operating system now. Though it is not required.

   *Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update

 Attach:    MicrosoftUpdate.com

The worm activates from infected emails only in case a user clicks on the attached file. The
worm then installs itself to the system and runs spreading routines.

Spreading: KaZaa

The worm creates a subdirectory with the “system16” name in the Windows system directory and copies
itself to there with the names:

   kmd.exe            Game Trainer.exe    Hacker.exe                         
   icq2003a.exe       Game.exe            Hacks.exe                          
   icq2003b.exe       App.exe             xbox Hacker.exe                    
   icq2003Final.exe   App Crack.exe       Ps2 Bios Emulation.exe             
   icq2002a.exe       Cracker.exe         xbox Bios Hack.exe                 
   icq2003a.exe       Games.exe           Burn ps2 Games To A Single CD-R.exe
   icq crack.exe      Games trainer.exe   Burn ps2.exe                       
   aim crack.exe      Trainer.exe         burn xbox.exe                      
   icq lite.exe       Cheat.exe           burn dreamcast.exe                 
   imeshv2.exe        Game Hack.exe   

The “system16” directory is then registered as Kazaa file sharing resource.

Installing the Backdoor Trojan

The worm downloads the “Backdoor.Slackbot” from the http://www.wawater.com Web site, stores it
to the “c:unxrt.exe” file and executes it.