WORM_BIZOME.VRX

 Analysis by: Christopher Daniel So

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

It opens a specific port where it listens for remote commands.

It sends ICMP PING requests to a series of IP addresses and scans for Port 4899 to check if those IP addresses have RADMIN service running. Once successful, it may use a hard-coded list of usernames and passwords to gain access to the system.

It installs itself on the machine. It uses Port 310 to communicate between machines infected with this worm.

It logs some of its activities in a file.

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

394,752 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

01 Dec 2010

Payload:

Compromises system security

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
ImagePath = "{malware path and filename}" --service

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = {malware path and filename}:*:Enabled:ipz

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

  • 310

Dropping Routine

This worm drops the following files:

  • %Current%\ipz-db.bin
  • %Current%\log.txt

Other Details

This worm displays the following images:

It does the following:

  • May be executed using command-line and may have the following parameters:
    /i - install itself as service
    /s - start service
    /r - remove service
    /l - log activities of the malware
  • Sends ICMP PING requests to a series of IP addresses and scans for Port 4899 to check if those IP addresses have RADMIN service running. Once successful, it may use the following hard-coded list of usernames and passwords to gain access to the system:
    0987654321
    111111
    11111111
    121212
    12121212
    123123
    12341234
    123456
    12345678
    123456789
    1234567890
    1q2w3e
    1q2w3e4r
    1q2w3e4r5t
    654321
    87654321
    Admin
    Administrator
    aaaaaa
    aaaaaaaa
    admin
    administrator
    aerial
    aerodynamics
    aeroplane
    alien
    altera
    altitude
    america
    american
    anchorite
    annihilation
    archer
    asdfghjk
    asdfghjkl
    atmel
    atmosphere
    atomic
    backward
    battle
    bender
    billgates
    boeing
    brentcorrigan
    brutal
    bullshit
    burning
    callofduty
    cannon
    cdrom
    children
    computer
    coolface
    copyleft
    copyright
    creative
    creator
    darthvader
    deathcore
    deathstar
    debian
    deltaplane
    destroy
    disable
    display
    domination
    doomsday
    elephant
    elimination
    emoboy
    emokid
    emperor
    enable
    enigma
    europe
    evangellion
    fallout
    fighter
    folder
    forward
    freedom
    fuckyou
    godzilla
    google
    gothic
    grinder
    guitar
    happiness
    happy
    hardcore
    harddisk
    helicopter
    hippie
    hitler
    horishima
    horizon
    ignore
    imageboard
    income
    incoming
    insane
    internet
    israel
    jesus
    jetpack
    kamikaze
    keyboard
    kremlin
    latitude
    lineage2
    login
    longtitude
    lucifer
    lurkmore
    machine
    memory
    metall
    microchip
    microsoft
    minigun
    missile
    monkey
    motorbike
    mouse
    mozilla
    music
    negative
    nekoboy
    nigger
    nuclear
    oracle
    overmind
    password
    people
    pilotage
    police
    positive
    predator
    pretty
    processor
    propeller
    prototype
    qazwsx
    qazwsxedc
    qqqqqq
    qqqqqqqq
    qweasd
    qweasdzxc
    qwerty
    qwertyui
    qwertyuiop
    radmin
    rastaman
    reactor
    receiver
    revolution
    rocketman
    router
    samael
    satan
    sattelite
    scientology
    secret
    secure
    shadow
    shcool
    skynet
    skywalker
    smoking
    solder
    speaker
    stalin
    starcraft
    stinger
    sunlight
    superman
    supply
    suxxxx
    terminator
    thieft
    thread
    thunderbird
    tolerance
    topsecret
    tranciever
    transmitter
    trollface
    ubuntu
    unknown
    username
    utorrent
    warcraft
    warhammer
    washington
    whitehouse
    windows
    wireless
    xlinx
    youandme
    youtube
    zeitgeist
  • Installs itself on the machine. It uses Port 310 to communicate between machines infected with this worm.
  • Logs the following activities of the malware in the file log.txt:
    (peer_broadcast_link) broadcasting link to {IP}
    (peer_link_to_self) buddy {IP} kicked due to synchronization error
    (peer_link_to_self) synchronized link to {IP}
    (peer_new_buddy) {IP} - added new buddy
    (peer_new_buddy) {IP} - buddy already in list
    (peer_new_buddy) {IP} - connection closed
    (peer_new_buddy) {IP} - trying to connect
    (peer_process_link_message) linked to new buddy {IP}
    (peer_process_link_message) synchronized link with {IP}
    (peer_process_message) new message
    (peer_process_message) new message accepted
    (peer_process_poll_message) message delivered to {IP}
    (peer_process_poll_message) no messages to deliver to {IP}
    (peer_process_poll_message) {IP} polled his mailbox
    [{Date and Time}] {ID} (ACT) connected to {IP}
    [{Date and Time}] {ID} (ACT) disconnected from {IP}
    [{Date and Time}] {ID} (ACT) failed to connect to {IP}
    [{Date and Time}] {ID} (ACT) message delivered to {IP}
    [{Date and Time}] {ID} (ACT) message received from {IP}
    [{Date and Time}] {ID} (ACT) no messages on {IP}
    [{Date and Time}] {ID} (ACT) polling mailbox on {IP}
    [{Date and Time}] {ID} (ACT) sending messages to {IP}
    [{Date and Time}] {ID} (ACT) trying to connect to {IP}
    [{Date and Time}] {ID} (PASS) LINK from {IP}
    [{Date and Time}] {ID} (PASS) POLL from {IP}
    [{Date and Time}] {ID} (PASS) connection from {IP} closed
    [{Date and Time}] {ID} (PASS) message from {IP}
    [{Date and Time}] {ID} (PASS) received connection from {IP}
  • This malware is infected with PE_VIRUX.Q.

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI PATTERN File:

7.666.08

VSAPI PATTERN Date:

01 Dec 2010

VSAPI PATTERN Date:

12/1/2010 12:00:00 AM

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product and note files detected as WORM_BIZOME.VRX

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • IPZ

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {malware path and filename}={malware path and filename}:*:Enabled:ipz

Step 6

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
%Current%\ipz-db.bin
%Current%\log.txt

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_BIZOME.VRX. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.