WORM_BIZOME.D

It displays a window upon execution.

It sends ICMP PING requests to a series of IP addresses and scans for port 4899 to check if those IP addresses have RADMIN service running. Once successful, it may use a hardcoded list of user names and passwords to gain access to the system.

This routine of sending PING requests to the IP addresses may cause denial of service (DoS) and heavy network traffic.

It may then save a copy, install and execute itself on the machine as %System%\ipz2.exe.

It uses port 689 to communicate between machines infected with this backdoor. This malicious file builds a peer-to-peer network which may then receive and send commands from/to other infected machines/malicious networks to download and execute other malicious files.

This worm may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This worm may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following non-malicious files:

• %User Profile%\IPZ2\IPZ2.db

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\IPZ2

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ2
ImagePath = ImagePath = "{malware path and filename} -service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ2
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ2
DisplayName = Intelligent P2P Zombie 2

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = {malware path and filename}:*:Enabled:ipz2

Other Details

This worm does the following:

• Upon execution, this worm displays the following window:
  

  

• It may be executed using command-line and may have the following parameters:
  
  • --install - install itself as service
  • --service - start service
  • --remove - remove service
  • --log - log activities of the malware
• It sends ICMP PING requests to a series of IP addresses and scans for port 4899 to check if those IP addresses have RADMIN service running. Once successful, it may use the following hardcoded list of user names and passwords to gain access to the system:
  
  • vader
  • israel
  • norad
  • police
  • potter
  • satan
  • battle
  • witch
  • nigger
  • xerox
  • cinema
  • mouse
  • shinny
  • human
  • stereo
  • caddy
  • flight
  • handy
  • flower
  • share
  • ubuntu
  • shark
  • guitar
  • sharp
  • winter
  • harry
  • bottle
  • canon
  • coffee
  • venus
  • attack
  • earth
  • africa
  • leela
  • horror
  • scada
  • samael
  • major
  • bender
  • space
  • cavern
  • light
  • cannon
  • pilot
  • health
  • brent
  • gentoo
  • skate
  • neuron
  • leeps
  • summer
  • blood
  • grinder
  • pirate
  • anime
  • chopper
  • solder
  • south
  • username
  • soldier
  • google
  • rotor
  • rastaman
  • mozilla
  • master
  • motor
  • warcraft
  • offence
  • people
  • stick
  • universe
  • elevate
  • metall
  • grant
  • nekomimi
  • inferno
  • rocket
  • linux
  • creative
  • obvious
  • mondo
  • zeitgeist
  • starwars
  • captain
  • memory
  • video
  • tolerance
  • kamikaze
  • bicycle
  • passwd
  • robot
  • facebook
  • fighter
  • azerty
  • right
  • southpark
  • nothing
  • 123321
  • cyber
  • copypaste
  • password
  • lucifer
  • 121212
  • bucks
  • copyright
  • 1qaz2wsx
  • general
  • ytrewq
  • boobs
  • warhammer
  • zzzzzzzz
  • freedom
  • 000000
  • dream
  • helicopter
  • starcraft
  • qwerasdf
  • embrace
  • aaaaaa
  • press
  • calculator
  • hiroshima
  • 12344321
  • defence
  • 654321
  • stack
  • battleship
  • 1qa2ws3ed
  • 12341234
  • minigun
  • abcdef
  • april
  • skyscraper
  • abcdefghi
  • aaaaaaaa
  • october
  • qweasd
  • lover
  • 1q2w3e4r5t
  • 123454321
  • abcdefgh
  • welcome
  • qazwsx
  • abcdefghij
  • 123123123
  • qqqqqqqq
  • pasword
  • 123123
  • 1234554321
  • qazwsxedc
  • 1q2w3e4r
  • 1234321
  • 1q2w3e
  • paswd
  • qwertyuiop
  • qwertyuio
  • 11111111
  • abcdefg
  • qqqqqq
  • 12321
  • 0123456789
  • 987654321
  • 87654321
  • 0123456
  • 54321
  • harrypotter
  • 0987654321
  • 012345678
  • qwertyui
  • qwertyu
  • qwerty
  • qwert
  • brentcorrigan
  • necromancer
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 12345
  • login
  • skynet
  • computer
  • internet
  • radmin
  • microsoft
  • billgates
  • Administrator
  • administrator
  • Admin
  • 123456
  • 111111
  • admin
• This routine of sending PING requests to the IP addresses may cause denial of service (DoS) and heavy network traffic.
• It may then save a copy, install and execute itself on the machine as %System%\ipz2.exe.
• It uses port 689 to communicate between machines infected with this backdoor. This malicious file builds a peer-to-peer network which may then receive and send commands from/to other infected machines/malicious networks to download and execute other malicious files.