W32.Borm


Aliases: WORM_BORMEX.A, W32.Borm, I-Worm.Bormex, Win32/Bormex.A@mm, BORMEX.
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: dormant
Spreading: slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 11 Aug 2003
Damage: Low

Characteristics: The W32.Borm program copies itself to the infected computer by creating .exe files. 

More details about W32.Borm

This program allegedly targets Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). Using TCP port 135, it sends a large amount of data sufficient to overrun the buffer. From this, the worm creates certain system registry entries. This worm, like many others, copies itself to the infected computer by making .exe files but it names itself as Borm.exe.  It is also known that it is to spread even more when the compromised computers and/or laptops have been infected with Back Orifice. Once executed, this worm will cause a denial of service on DCE daemons. It reboots your computers to launch this file, 'msblast.exe' immediately. From there, it also makes a mutex named 'BILLY'. This signals that the worm works on a singles instance. Upon clicking  msblast.exe, you may see these files: “I just want to say LOVE YOU SAN,”billy gates why do you make this possible ? Stop making money and fix your software,”windowsupdate.com,”start %s,” tftp -i %s GET %s,”%d.%d.%d.%d,”%i.%i.%i.%i,”BILLY ,”windows auto update ,” and SOFTWARE\Microsoft\Windows\currentversion\Run.

If your computer or system date is set to August 15th and or December 31st, the worm will stop service attacks from windowsupdate.com. The worm continually updates and it was reported that on August 12, 2003, a written variant named “penis32.exe” was spreading. It then changed again to a new type of variant but this was named as “teekids.exe.” By August 27, 2003, the worm upgrades and causes a denial of service on DCE daemons.