Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Worm:W32/Agent.BTZ

[Summary] | [Details] | [Additional Details]

Name : Worm:W32/Agent.BTZ
Detection Names : Worm:W32/Agent.BTZ
Worm:W32/Agent.BTZ
Type:Worm
Category:Malware
Platform:W32
Radar

Summary
Worm:W32/Agent.BTZ: Worms are computer programs that replicate independently by copying themselves to other systems.
Back to the Top

Details


File System Changes
Creates these files:

  • %windir%\system32\muxbde40.dll
  • %windir%\system32\winview.ocx
  • %temp%\6D73776D706461742E746C62FA.tmp
  • %windir%\system32\mswmpdat.tlb



Network Connections
Attempts to download files from:

  • http://worldnews.ath.cx/update/img0008/[REMOVED].jpg



Registry Modifications
Sets these values:

  • HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
    (default) = Java.Runtime.52
  • HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
    (default) = C:\WINDOWS\system32\muxbde40.dll
  • HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
    ThreadingModel = Apartment
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}


Creates these keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
  • HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
  • HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\


Back to the Top

Additional Details
Creates these files:

The files "winview.ocx" and "mswmpdat.tlb" holds the log of the files and their location that the malware has installed. The content of these file are encrypted.

The file "muxbde40.dll" is the malware itself with a different name.

Spreading function


The worm spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file.

The contents of the file are as follows:

[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1

Note: [RANDOM] represents a random name that the worm creates for the dll.

If the malware detects a new partition, or usb stick for example, it will get infected immediately.

The registry keys are used to make sure that the malware gets launched when the computer starts.
Back to the Top



F-Secure Corporation

Last Modified: June 26, 2008