Virus Database

I-Worm.Burnox

Description I-Worm.Burnox

Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through the Kazaa file sharing network. The worm also downloads from a Web site and installs a backdoor trojan to the system.
The worm itself is a Windows PE EXE file about 4KB in size(when compressed by FSG, the decompressed size is about 20KB) and written in VisualBasic.
Installing
While installing the worm copies itself to the Windows system directory with the "MicrosoftUpdate.com" name and registers this file in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Windows Update = %SystemDir%MicrosoftUpdate.com

where %SystemDir% is the Windows System directory path.
The worm also creates a system registry key where it keeps its counter:
HKLMSOFTWAREMicrosoftWindowsCurrentVersion Startup = %counter%

the %counter% is set to '1', and is increased with each each worm start. Depending on this counter the worm activates its spreading routines.
Spreading: EMail
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book. Ifected messages have following field text:
Subject: Important: Microsoft Windows Patch For Xp,2k,ME,98,95.

Body:

Microsoft just release this patch for all versions of Microsoft Windows.
This update patches many of the recent vulnerabilities!
It is recommended that you patch your operating system now. Though it is not required.

*Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update

Attach: MicrosoftUpdate.com

The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.
Spreading: KaZaa
The worm creates a subdirectory with the "system16" name in the Windows system directory and copies itself to there with the names:
kmd.exe Game Trainer.exe Hacker.exe
icq2003a.exe Game.exe Hacks.exe
icq2003b.exe App.exe xbox Hacker.exe
icq2003Final.exe App Crack.exe Ps2 Bios Emulation.exe
icq2002a.exe Cracker.exe xbox Bios Hack.exe
icq2003a.exe Games.exe Burn ps2 Games To A Single CD-R.exe
icq crack.exe Games trainer.exe Burn ps2.exe
aim crack.exe Trainer.exe burn xbox.exe
icq lite.exe Cheat.exe burn dreamcast.exe
imeshv2.exe Game Hack.exe

The "system16" directory is then registered as Kazaa file sharing resource.
Installing the Backdoor Trojan
The worm downloads the "Backdoor.Slackbot" from the http://www.wawater.com Web site, stores it to the "c:unxrt.exe" file and executes it.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Beeper.a

Description Macro.Word.Beeper.a

These are encrypted Word macro viruses. They contain six original macros in NORMAL.DOT and infected documents:
"Beeper.a": AutoExec, AutoClose, AutoOpen, AutoNew , TheTime , Kill
"Beeper.b": AutoOpen, TFGAMV, AutoExec, AutoNew, AutoClose, Joke

While infecting global macros area (NORMAL.DOT) "Beeper.b" also creates two addition macros with random selected names. These macros contain copies of the TFGAMV and Joke macros.
The viruses infect the global macros area while infecting an opening document. They write themselves to documents while opening existing or creating a new document (AutoOpen, AutoNew).
Beeper.a
It maximizes Word windows and inserts into the current document the text:
You are infected with
The Time
A virus from Cool Zero

The virus does not executes the Kill and TheTime macros, i.e. they may be activated only by user's request (by File/Templates or Tools/Macro menus). When activated, the TheTime macro checks the system time and at 15:59 beeps and displays the MessageBoxes:
Hi I'm the Time virus
I don't like Your COMMAND.COM and AUTOEXEC.BAT
Play with me !! :-)
You have 1 Minute time to find me
Find me, I do nothing
Find me not
SAY BYE TO YOUR COMMAND.COM AND AUTOEXEC.BAT

The Kill macro at 16:00 deletes the files C:COMMAND.COM and C:AUTOEXEC.BAT.
Beeper.b
This virus prints documents on opening them (AutoOpen). At 17:00 it tries (but fails) to create and execute the SMILEY.COM file. This file contains an "intended" DOS virus.

Macro.Word.Bertik

Description Macro.Word.Bertik

This is an encrypted macro virus. It contains four macros that have different names in infected documents and NORMAL.DOT:
Documents NORMAL.DOT
AutoOpen YYYAO
XXXAO AutoOpen
XXXFSA FileSaveAs
XXXFS FileSave
PayLoad PayLoad

The virus infects the system on opening an infected document (AutoOpen) and writes itself to other documents on opening and saving (AutoOpen, FileSave, FileSaveAs).
On each infection the virus copies the WINWORD.HLP file to TEMPLATES .WRD file, where 'n' in number of infection. In case of error the virus displays one of MessageBoxes:
DúleOitè upozornini
!!! Tohle zpùsobil virus Bertik.1 !!!
!!! Made by virus Bertik.1 !!!

Home