Worm.Win32.Busan.a

0 0

The Busan worm spreads through networks by copying itself to all accessible network resources. The worm is a Windows application (PE EXE-file) that is compressed with UPX and has a size 14KB. Its code is written in the C programming language.

When run the worm sends out a message via ICQ to UIN the author, and then proceeds to copy itself to the Windows directory under the name files32.sys. The Busan worm also copies to the Windows directory a file named mh32.dll which is a keyboard 'interceptor'. Then the worm tries to copy itself under the name auto.exe to the following directories:

 C:\WINDOWS\All Users\Start Menu\Program Files\StartUp\
 C:\WINDOWS\All Users\?' ?-R? ?-蟎?罵??蘚??識 ?燎? \

Because of a mistake in its code it fails to successfully copy itself to the above directories. Busan then probes IP-addresses and copies itself to all accessible network resources.

Next the worm registers itself in the system registry key:

 [HKEY_CLASSES_ROOT\exefile\shell\open\command]
 @="files32.sys \"%1\" %*"

This entry causes the worm to be run anew each time any EXE-file is opened.

While running the worm collects all accessible names and passwords to the mail boxes registered in the system and stores them in the C:\WINDOWS\lmhost.log file. After this is done Busan tries to send this file to the malefactor (worm's master). The same file contains a complete record of keyboard strokes recorded by the keyboard interceptor represented by the file mh32.dll.

The Busan worm tries to download a file named worm31.bmp from an Internet web-site but cannot as the page has since been removed.