W32/Buchon@mm worm was found on October 21st, 2004. This variant is probably a hack made in South Korea.It was originally identified as Netsky, but all major Antivirus vendors realized it has not much to do with that family besides some similarities in the emails it sends. Therefore the new name is Buchon.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
The worm is packed with an unmodified version of UPX, once unpacked it grows to around 60 KiB. This worm contains two hidden strings: "SoonChunHyang" and "Bucheon". There's a University called SoonChunHyang in the city of Bucheon, South Korea.This virus is buggy and fails to replicate properly.Email messages W32/Buchon@mm tries to send can vary a lot. In some cases it sends somewhat personalized messages looking like this:
From: email@example.com To: firstname.lastname@example.org Subject: Mail Delivery failure - email@example.com If the message will not displayed automatically, . you cancheck original in attached message.txt www.acme.com/inbox/security/read.asp?sessionid-5339 Attachment: "message.txt mcafee.com"
W32/Buchon@mm searches local drives for e-mail addresses. Files with following extensions are scanned for e-mail addresses:
.dbx .wab .mbx .eml .mdb .tbb
The worm also drops a keylogger.
F-Secure AntiVirus detects W32/Buchon@mm with update
Detection Type: PC
Description Details: Mikko Hypponen, October 21st, 2004
Description Last Modified: Ero Carrera, October 22nd, 2004