Details
Worm.Win32.Busan
The Busan worm spreads through networks by copying itself to all accessible network resources. The worm is a Windows application (PE EXE-file) that is compressed with UPX and has a size 14KB. Its code is written in the C ++ programming language.
When run the worm sends out a message via ICQ to UIN the author, and then proceeds to copy itself to the Windows directory under the name files32.sys. The Busan worm also copies to the Windows directory a file named mh32.dll which is a keyboard ‘interceptor’. Then the worm tries to copy itself under the name auto.exe to the following directories:
C:\WINDOWS\All Users\Start Menu\Program Files\StartUp C:\WINDOWS\All Users\?’ ?-R? ?-Ï\?ÁR?Á Ì\??×R ?ÁÇ?
Because of a mistake in its code it fails to successfully copy itself to the above directories. Busan then probes IP-addresses and copies itself to all accessible network resources.
Next the worm registers itself in the system registry key:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”files32.sys \”%1\” %*”

This entry causes the worm to be run anew each time any EXE-file is opened.
While running the worm collects all accessible names and passwords to the mail boxes registered in the system and stores them in the C:\WINDOWS\lmhost.log file. After this is done Busan tries to send this file to the malefactor (worm’s master). The same file contains a complete record of keyboard strokes recorded by the keyboard interceptor represented by the file mh32.dll.
The Busan worm tries to download a file named worm31.bmp from an Internet web-site but cannot as the page has since been removed.

Related Posts

This entry was posted on Sunday, August 24th, 2008 at 7:50 pm and is filed under Virus Threats.