Threat Description



Category: Malware
Type: Worm
Platform: W32
Aliases: Bizex, Worm.Win32.Bizex, W32.Bizex.Worm, Java/Bizex.A


Bizex is a multi-component ICQ worm that spreads itself by sending an instant message with a link to a website that contains files with exploits. The main component of the worm also has spying and data stealing capabilities.

The web page were Bizex file was located is not available anymore.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Bizex worm spreads by sending an HTTP link to all ICQ contacts of an infected user. When a recipient clicks on a link, he/she is redirected to a website that has an HTML page with IFrame exploit. This exploit allows automatic execution of target files when Internet Explorer web browser is used. The HTML page concerned tries to autoexecute these 2 files:

meine.scm  user_bx.html   

The MEINE.SCM file is downloaded from the same site and the USER_BX.HTML file is downloaded from a different website. The USER_BX.HTML file downloads and tries to execute Java trojan downloader nocheat.jar (detected as Java/Bizex.A).

The Java/Bizex.A is used for downloading and executing two windows binaries and informing server where user_bx.html was downloaded whether operation was successful including users browser and user agent version information. The Java/Bizex.A tries to execute these 2 files:

fgc32.exe  fgc64.exe   

The MEINE.SCM file is an ICQ sound scheme file that is dropped to a \Sounds subfolder located in the main ICQ directory. This sound scheme file contains a CHM archive inside its body. The CHM archive is then activated by the webpage and it drops and opens a file called IEF*CKER.HTM.

This file contains a Visual Basic Script code that drops a file WinUpdate.exe. This binary file is a trojan downloader. Depending on the Windows version the script saves the trojan downloader in a folder:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe   


c:\windows\Start Menu\Programs\Startup\WinUpdate.exe   

By placing WinUpdate.exe in the startup folder, the script code makes sure that the trojan downloader is run during next Windows restart.

When it is activated, the trojan downloader copies itself as ALSDFKJ.EXE file to a temporary folder and then downloads and activates the main worm's component as APTGETUPD.EXE file. This file is downloaded to a temporary folder.

The main worm's component is a PE executable 86528 bytes long packed with PECompact file compressor. When it is run, it deletes its file from a temporary folder, creates SYSMON subfolder in Windows System folder and copies itself there with the SYSMON.EXE name. It also drops 4 files from its body to Windows system folder:

ICQ2003Decrypt.dll  icq_socket.dll  javaext.dll  java32.dll   

Additionally the XTEMPX.$ file is created in Windows System folder. Two of the dropped DLL files allow the worm to spread via ICQ, the other two are used to spy against an infected user. The worm creates a startup key for its file in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "sysmon" = "%winsysdir%\sysmon.exe"   

where %winsysdir% represents Windows System folder name. It should be noted that this Registry key can be only seen when Windows is started in Safe Mode as the worm uses stealth techniques to hide its Registry key.

The worm steals information from users of the following on-line services:

SUNCORP METWAY  VeriSign Partner Manager  VeriSign Personal Trust Service  Commercial Electronic Office Sign On  Wells Fargo - Small Business Home Page  Merchant Administration  American Express UK - Personal Finance  Secure User Area  Barclaycard Merchant Services  Collegamento a Scrigno  Home Page Banca Intesa  Banque  Tous les produits et services  Banque en ligne  CyberMUT  Credit Lyonnais interacti  Accueil > Espace  Page d'accueil  E*TRADE Log On  LloydsTSB online - Welcome  Acceso a Banca por Internet  baNK  e-gold Account Access   

Additionally the worm records user's keystrokes on an infected computer and monitors his/her HTTP traffic. The stolen data is copied to the following files:

~pass.log  ~key.log  ~post.log   

These files are then uploaded by the worm to an ftp site, that mot likely belongs to the worm's author.

To disinfect a computer from this worm it's enough to delete its files from a hard drive. Manual disinfection should be performed in Safe Mode.


Detection for Bizex worm was published on February 24th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-02-24_02

Technical Details:Alexey Podrezov, Katrin Tocheva and Jarno Niemela, February 26th, 2004
Description Last Modified: Jarno Niemela, February 27th, 2004


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More