Virus Database

I-Worm.Burnox

Description I-Worm.Burnox

Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through the Kazaa file sharing network. The worm also downloads from a Web site and installs a backdoor trojan to the system.
The worm itself is a Windows PE EXE file about 4KB in size(when compressed by FSG, the decompressed size is about 20KB) and written in VisualBasic.
Installing
While installing the worm copies itself to the Windows system directory with the "MicrosoftUpdate.com" name and registers this file in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Windows Update = %SystemDir%MicrosoftUpdate.com

where %SystemDir% is the Windows System directory path.
The worm also creates a system registry key where it keeps its counter:
HKLMSOFTWAREMicrosoftWindowsCurrentVersion Startup = %counter%

the %counter% is set to '1', and is increased with each each worm start. Depending on this counter the worm activates its spreading routines.
Spreading: EMail
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book. Ifected messages have following field text:
Subject: Important: Microsoft Windows Patch For Xp,2k,ME,98,95.

Body:

Microsoft just release this patch for all versions of Microsoft Windows.
This update patches many of the recent vulnerabilities!
It is recommended that you patch your operating system now. Though it is not required.

*Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update

Attach: MicrosoftUpdate.com

The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.
Spreading: KaZaa
The worm creates a subdirectory with the "system16" name in the Windows system directory and copies itself to there with the names:
kmd.exe Game Trainer.exe Hacker.exe
icq2003a.exe Game.exe Hacks.exe
icq2003b.exe App.exe xbox Hacker.exe
icq2003Final.exe App Crack.exe Ps2 Bios Emulation.exe
icq2002a.exe Cracker.exe xbox Bios Hack.exe
icq2003a.exe Games.exe Burn ps2 Games To A Single CD-R.exe
icq crack.exe Games trainer.exe Burn ps2.exe
aim crack.exe Trainer.exe burn xbox.exe
icq lite.exe Cheat.exe burn dreamcast.exe
imeshv2.exe Game Hack.exe

The "system16" directory is then registered as Kazaa file sharing resource.
Installing the Backdoor Trojan
The worm downloads the "Backdoor.Slackbot" from the http://www.wawater.com Web site, stores it to the "c:unxrt.exe" file and executes it.

Check other viruses! Be aware! Use Antiviral Software

Bach.498

Description Bach.498

It's a dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself at their ends. Depending on current date it hooks INT 13h and sometimes redirects information that are read or saved to disk. It contains the internal text string: "J.S. Bach by TXQ".

BachKhoa.3544

Description BachKhoa.3544

This is a very dangerous memory resident encrypted parasitic virus. It uses anti-debugging tricks in its code. When an infected file is executed, the virus hooks INT 21h, stays memory resident and then writes itself to the end of COM and EXE files that are accessed.
The virus deletes the anti-virus and other data files: CHKLIST.MS, CHKLIST.CPS, FILESIGN.SAV, FILE_ID.DIZ. On November 25 it also erases the hard drive sectors. It contains the text strings:
Ha Noi University of technology
Your PC was infected by BACHKHOA virus

Home