F-Secure
Tools
Worm:W32/Agent.BTZ
Summary
Worm:W32/Agent.BTZ: Worms are computer programs that replicate independently by copying themselves to other systems.
Details
File System Changes
Creates these files:
- %windir%\system32\muxbde40.dll
- %windir%\system32\winview.ocx
- %temp%\6D73776D706461742E746C62FA.tmp
- %windir%\system32\mswmpdat.tlb
Network Connections
Attempts to download files from:
- http://worldnews.ath.cx/update/img0008/[REMOVED].jpg
Registry Modifications
Sets these values:
- HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
(default) = Java.Runtime.52 - HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
(default) = C:\WINDOWS\system32\muxbde40.dll - HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
ThreadingModel = Apartment - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
Creates these keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
- HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
- HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
Additional Details
Creates these files:
The files "winview.ocx" and "mswmpdat.tlb" holds the log of the files and their location that the malware has installed. The content of these file are encrypted.
The file "muxbde40.dll" is the malware itself with a different name.
Spreading function
The worm spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file.
The contents of the file are as follows:
Note: [RANDOM] represents a random name that the worm creates for the dll.
If the malware detects a new partition, or usb stick for example, it will get infected immediately.
The registry keys are used to make sure that the malware gets launched when the computer starts.
The files "winview.ocx" and "mswmpdat.tlb" holds the log of the files and their location that the malware has installed. The content of these file are encrypted.
The file "muxbde40.dll" is the malware itself with a different name.
Spreading function
The worm spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file.
The contents of the file are as follows:
[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1
Note: [RANDOM] represents a random name that the worm creates for the dll.
If the malware detects a new partition, or usb stick for example, it will get infected immediately.
The registry keys are used to make sure that the malware gets launched when the computer starts.