Windows 2000, Windows XP, Windows Server 2003
Propagates via network shares
It may be executed using command-line and specific parameters.
It sends ICMP PING requests to random IP addresses and scans for Port 4899 (Radmin Port) to check if those IP addresses have RADMIN service running. Once successful, it uses the following hardcoded list of user names and passwords to gain access to password-protected systems. It then install itself on the machine. It uses Port 310 to communicate between infected systems.
It creates a list of its activities, which it stores in a .TXT file.
This worm may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It is a command line program that may be used to perform certain routines.
TCP port 4899 (RAdmin Port)
Varies
PE
Yes
22 Sep 2010
Drops files, Steals information
Arrival Details
This worm may arrive via network shares.
It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following files:
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
Type = 10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
ErrorControl = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
ImagePath = {malware path and file name}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
DisplayName = Intelligent P2P Zombie
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
ObjectName = LocalSystem
Other System Modifications
This worm creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = {malware path and file name}:*:Enabled:{malware filename}
Backdoor Routine
This worm is a command line program that may be used to perform certain routines.
Other Details
Based on analysis of the codes, it has the following capabilities:
8.900
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 5
Search and delete these components
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_BIZOME.SMD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.