W32.Bezilom.Worm


Aliases: Virus.Win32.HLLW.Bezilom, Win32.HLLW.Bezilom, W32/Bezilom.worm, HLLW/Bezilom, W32/Bezilom-A
Variants: Win32.HLLM.Generic.40, Win32/Bezil.A@mm, WORM_BEZILOM.A2, Win32/HLLW.Bezil, Win32/Bezilom.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 Feb 2002
Damage: Medium

Characteristics: The W32.Bezilom.Worm program can propagate by copying its code to a floppy disk in drive A:\ when it is resident in the system’s memory. This worm has the ability to restart the affected machine a couple of times.

More details about W32.Bezilom.Worm

The W32.Bezilom.Worm program has 3 components that are all Windows OS PE executable files. All 3 components are written in the programming language Visual Basic. The 3 components are Natasha.exe, Maria.doc.exe and MacroSoftBL.exe. The Natasha.exe is the virus dropper and it was spammed to a couple of email conferences around February 2002. While the Maria.doc.exe is the worm’s virus itself and the MacroSoftBL.exe is a fake (decoy) antivirus application. Once the Natasha.exe is run in the system, it will drop and run 2 other components. These 2 components are the PKGF320.exe in the folder C:\ Windows\ Temp and the MacroSoftBL.exe with system and hidden attributes located in the folder C:\ Program Files\ MacroSoftBL. Upon successful execution, it will move itself to the C:\Windows location with the Maria.doc.exe filename and with lots of spaces between the doc and exe.

After this, the W32.Bezilom.Worm program will copy itself to the root directories of every drive in the system using a randomly generated filename such as huhhbg.exe or cmzymz.exe. It will likewise create an autoexec.bat file with an instruction that executes the virus duplicate in the same location. For removing the worm, System Restore in Windows ME or Windows XP should be disabled. Next, virus definitions should be updated instantly. Your computer should be restarted in either VGA mode or Safe mode. A comprehensive system scan should be performed and files related to the malware must be deleted. Registry values that the malware added should be deleted as well.