Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through
The worm itself is a Windows PE EXE file about 4KB in size(when compressed by FSG, the decompressed
While installing the worm copies itself to the Windows system directory with the
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Windows Update = %SystemDir%MicrosoftUpdate.com
where %SystemDir% is the Windows System directory path.
The worm also creates a system registry key where it keeps its counter:
HKLMSOFTWAREMicrosoftWindowsCurrentVersion Startup = %counter%
the %counter% is set to ‘1’, and is increased with each each worm start. Depending on this
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the
Subject: Important: Microsoft Windows Patch For Xp,2k,ME,98,95. Body: Microsoft just release this patch for all versions of Microsoft Windows. This update patches many of the recent vulnerabilities! It is recommended that you patch your operating system now. Though it is not required. *Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update Attach: MicrosoftUpdate.com
The worm activates from infected emails only in case a user clicks on the attached file. The
The worm creates a subdirectory with the “system16” name in the Windows system directory and copies
kmd.exe Game Trainer.exe Hacker.exe icq2003a.exe Game.exe Hacks.exe icq2003b.exe App.exe xbox Hacker.exe icq2003Final.exe App Crack.exe Ps2 Bios Emulation.exe icq2002a.exe Cracker.exe xbox Bios Hack.exe icq2003a.exe Games.exe Burn ps2 Games To A Single CD-R.exe icq crack.exe Games trainer.exe Burn ps2.exe aim crack.exe Trainer.exe burn xbox.exe icq lite.exe Cheat.exe burn dreamcast.exe imeshv2.exe Game Hack.exe
The “system16” directory is then registered as Kazaa file sharing resource.
Installing the Backdoor Trojan
The worm downloads the “Backdoor.Slackbot” from the http://www.wawater.com Web site, stores it