BugTraq
Fw: [Unpatched] The Bizex worm Feb 25 2004 03:11AM
Thor Larholm (thor pivx com)
We have all talked about how most viruses and worms that actually spread
in the wild could have been written so much better by any one of us. I
guess someone stepped forward and took the bait.

Everything indicates that Bizex is a worm which was created as a hired
job. It's primary purpose was to collect banking information and create
an armie of zombie machines. To accomplish this, it exploited a range of
vulnerabilities, the latest of which was published as recently as
February 19th on the Bugtraq mailing list.

The antivirus companies are finally starting to update their signatures,
hours after Bizex has already infected between 50.000 and 100.000
machines (Kaspersky). Luckily, the main distribution sites have now been
shut down which has halted the spread but left us with an armie of
zombie machines waiting for new instructions on port 1534.

New variants of Bizex are expected in the near future.

Locking down the My Computer zone prevented Bizex from infecting a
Windows system, a feature which is implemented as a demonstratory fix in
the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which
Microsoft is also implementing in the upcomming Windows XP Service Pack
2, slated for release around June.

More information about Bizex can be found at

http://www.kaspersky.com/news.html?id=4277566
http://www.viruslist.com/eng/viruslist.html?id=1029528
http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h

tml
http://www.sophos.com/virusinfo/analyses/w32bizexa.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor (at) pivx (dot) com [email concealed]
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

-----Original Message-----
From: Thor Larholm
Sent: Tuesday, February 24, 2004 5:31 PM
To: Thor Larholm
Subject: [Unpatched] The Bizex worm

Dear Unpatched subscriber,

Today a new worm was discovered in the wild, called Bizex. Employing a
multilayered attack, spread and infection approach it spreads through
several vulnerabilities and exploits in multiple technologies such as
email attachments, ICQ instant messaging and HTTP web pages. Some of
these vulnerabilities are without patches from the vendor, raising the
level of potential damage.

Kaspersky is currently labelling this a global epidemic with more than
50.000 infections just among ICQ users.

Likewise, implementing multiple layers of defense can help mitigate the
threat posed by multilayered worms such as Bizek. The currently
available BETA version of Qwik-Fix completely protects against the Bizek
worm by mitigating the impact of several vulnerabilities it relies on.
You can download Qwik-Fix at

http://www.qwik-fix.net/

Symantec has labelled this worm W32.Bizex.worm, but has not yet
published any details about it.

http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h

tml

PivX Solutions are currently researching the potential impact of Bizex
as well as its data gathering intentions. Some of the vulnerabilities
this worm is exploiting in its effort to spread are:

Microsoft Java virtual machine class loader
ICQ SCM local file planting
Microsoft Help CHM vulnerabilities
ADODB Stream
Internet Explorer Shell Folders

Interestingly, the shell folder vulnerability was only recently
categorized as being a serious threat on February 19 in a post to the
Bugtraq mailing list. This once again demonstrates how malicious
criminals are more rapidly exploiting vulnerabilities as they are being
announced.

Our initial analysis has shown that this worm is trying to collect
credit card details from unsuspecting users, masquerading itself as a
statement from banks and online trading sites, such as Wells Fargo,
E*TRADE, American Express, e-gold, Verisign and LLoydsTSB.

It has been linked to websites that are anonymously registered to
russian individuals, is appareantly created using Microsoft Visual
Studio and installs a backdoor on compromised machines to be used by
professional spammers.

Kaspersky has released more details at

http://www.kaspersky.com/news.html?id=4277566

We will keep you updated as more information is uncovered.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor (at) pivx (dot) com [email concealed]
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus