Aliases: Worm.Win32.Bizex, W32.Bizex.Worm, Java/Bizex.A, W32/Bizex.worm
Variants: Worm.Win32.Bizex, W32/Bizex-A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 24 Feb 2004
Damage: High

Characteristics: The W32.Bizex.Worm program is capable of propagating its code by sending links to a site hosting it to infected users’ contacts in ICQ. This worm is also able to steal critical online banking details.

More details about W32.Bizex.Worm

The W32.Bizex.Worm program allegedly spreads by sending a hyperlink to contacts through the ICQ messaging program. The link that this worm sends out to users’ infected ICQ contact list is www.jokeworkd.biz. When this page is viewed, a file with the .chm extension will be downloaded to the compromised machine as the file MEINE.SCM. This SCM extension is related to sound schemes in ICQ and by default; ICQ saves the file Startup.wav contained in the SCM file. This process undertaken by the worm is done to take advantage of the Vulnerability of the Mirabilis ICQ Sound Scheme Predictable File Location. The W32.Bizex.Worm program will take advantage of yet another vulnerability which is the Microsoft Internet Explorer showHelp CHM File Execution Weakness. This vulnerability is exploited so that the IEFUCKER.HTML file inside the CHM file will be executed.

In turn, this HTML file has a code for exploiting the Microsoft Internet Explorer Object Type Validation Vulnerability so that it can drop the WinUpdate.exe file to the system’s Startup folder. The file WinUpdate.exe is actually a Trojan downloader that will retrieve and run the W32.Bizex.Worm’s main executable as the APTGETUPD.EXE that will be dropped in the Temp folder. Once this file is run, the worm will create a copy of itself as the Sysmon.exe in the folder C:\ Windows\ System\ Sysmon.exe. It will also create a certain registry entry so that the worm will run when Windows starts up. The worm will drop the files JAVAEXT.DLL and JAVA32.DLL in the C:\ Windows\ System folder as well. These dropped files will make up a keylogger that will steal online banking information from a host of online banking systems. Furthermore, these files are capable of stealing HTTPS data sent to sites that have the login.yahoo.com and .passport strings in the URL. The stolen data will be written to the files ~PASS.LOG, ~KEY.LOG and ~POST.LOG and then uploaded to www.ustrading.info via FTP.