WORM_BORMEX.A, W32.Borm, I-Worm.Bormex, Win32/[email protected]
Category: Computer Worm
Asia, North and South America, and some parts of Europe and Australia
11 Aug 2003
The W32.Borm program copies itself to the infected computer by creating .exe files.
W32.Borm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Borm from your computer.
More details about W32.Borm
This program allegedly targets Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). Using TCP port 135, it sends a large amount of data sufficient to overrun the buffer. From this, the worm creates certain system registry entries. This worm, like many others, copies itself to the infected computer by making .exe files but it names itself as Borm.exe. It is also known that it is to spread even more when the compromised computers and/or laptops have been infected with Back Orifice. Once executed, this worm will cause a denial of service on DCE daemons. It reboots your computers to launch this file, 'msblast.exe' immediately. From there, it also makes a mutex named 'BILLY'. This signals that the worm works on a singles instance. Upon clicking msblast.exe, you may see these files: “I just want to say LOVE YOU SAN,”billy gates why do you make this possible ? Stop making money and fix your software,”windowsupdate.com,”start %s,” tftp -i %s GET %s,”%d.%d.%d.%d,”%i.%i.%i.%i,”BILLY ,”windows auto update ,” and SOFTWARE\Microsoft\Windows\currentversion\Run.
If your computer or system date is set to August 15th and or December 31st, the worm will stop service attacks from windowsupdate.com. The worm continually updates and it was reported that on August 12, 2003, a written variant named “penis32.exe” was spreading. It then changed again to a new type of variant but this was named as “teekids.exe.” By August 27, 2003, the worm upgrades and causes a denial of service on DCE daemons.