F-Secure Malware Information Pages: Worm:W32/Agent.BTZ

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Worm:W32/Agent.BTZ

[Summary] \| [Details] \| [Additional Details]
Name :	Worm:W32/Agent.BTZ
Detection Names :	Worm:W32/Agent.BTZ Worm:W32/Agent.BTZ
Type:	Worm
Category:	Malware
Platform:	W32

Radar

Summary

Worm:W32/Agent.BTZ: Worms are computer programs that replicate independently by copying themselves to other systems.

Back to the Top

Details

File System Changes
Creates these files:

%windir%\system32\muxbde40.dll
%windir%\system32\winview.ocx
%temp%\6D73776D706461742E746C62FA.tmp
%windir%\system32\mswmpdat.tlb

Network Connections
Attempts to download files from:

http://worldnews.ath.cx/update/img0008/[REMOVED].jpg

Registry Modifications
Sets these values:

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
(default) = Java.Runtime.52
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
(default) = C:\WINDOWS\system32\muxbde40.dll
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\
ThreadingModel = Apartment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}

Creates these keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\

Back to the Top

Additional Details

Creates these files:

The files "winview.ocx" and "mswmpdat.tlb" holds the log of the files and their location that the malware has installed. The content of these file are encrypted.

The file "muxbde40.dll" is the malware itself with a different name.

Spreading function

The worm spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file.

The contents of the file are as follows:

[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1

Note: [RANDOM] represents a random name that the worm creates for the dll.

If the malware detects a new partition, or usb stick for example, it will get infected immediately.

The registry keys are used to make sure that the malware gets launched when the computer starts.

Back to the Top

F-Secure Corporation

Last Modified: June 26, 2008