Re: [Full-Disclosure] Fw: [Unpatched] The Bizex worm

• Previous message: randall perry: "Re: [Full-Disclosure] Empty emails?"
• In reply to: Thor Larholm: "[Full-Disclosure] Fw: [Unpatched] The Bizex worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Thor Larholm <thor@pivx.com>, full-disclosure@lists.netsys.com
Date: Wed, 25 Feb 2004 17:12:24 +0100

there's more info at http://www.daemonology.net/ICQworm/worm.txt

It seems it uses the nearly 2 years!! old "icq downloads stuff to a known
location" vulnerability
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-07/0210.html

Recently made current by Arman Nayyeri, as you can see his post also
mentions icq as an attack vector
http://www.securityfocus.com/archive/1/348521

which they also use, effectively making this a worm that explots a zero day
vulnerability, no patch is available from eighter microsoft or icq, and
antivirus signatures are trivially defeated. So it's easy to make variants
to this virus

Shame on ICQ!

----- Original Message -----
From: "Thor Larholm" <thor@pivx.com>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, February 25, 2004 4:12 AM
Subject: [Full-Disclosure] Fw: [Unpatched] The Bizex worm

> We have all talked about how most viruses and worms that actually spread
> in the wild could have been written so much better by any one of us. I
> guess someone stepped forward and took the bait.
>
> Everything indicates that Bizex is a worm which was created as a hired
> job. It's primary purpose was to collect banking information and create
> an armie of zombie machines. To accomplish this, it exploited a range of
> vulnerabilities, the latest of which was published as recently as
> February 19th on the Bugtraq mailing list.
>
> The antivirus companies are finally starting to update their signatures,
> hours after Bizex has already infected between 50.000 and 100.000
> machines (Kaspersky). Luckily, the main distribution sites have now been
> shut down which has halted the spread but left us with an armie of
> zombie machines waiting for new instructions on port 1534.
>
> New variants of Bizex are expected in the near future.
>
> Locking down the My Computer zone prevented Bizex from infecting a
> Windows system, a feature which is implemented as a demonstratory fix in
> the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which
> Microsoft is also implementing in the upcomming Windows XP Service Pack
> 2, slated for release around June.
>
> More information about Bizex can be found at
>
> http://www.kaspersky.com/news.html?id=4277566
> http://www.viruslist.com/eng/viruslist.html?id=1029528
> http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
> tml
> http://www.sophos.com/virusinfo/analyses/w32bizexa.html
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@pivx.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
> -----Original Message-----
> From: Thor Larholm
> Sent: Tuesday, February 24, 2004 5:31 PM
> To: Thor Larholm
> Subject: [Unpatched] The Bizex worm
>
>
>
> Dear Unpatched subscriber,
>
> Today a new worm was discovered in the wild, called Bizex. Employing a
> multilayered attack, spread and infection approach it spreads through
> several vulnerabilities and exploits in multiple technologies such as
> email attachments, ICQ instant messaging and HTTP web pages. Some of
> these vulnerabilities are without patches from the vendor, raising the
> level of potential damage.
>
> Kaspersky is currently labelling this a global epidemic with more than
> 50.000 infections just among ICQ users.
>
> Likewise, implementing multiple layers of defense can help mitigate the
> threat posed by multilayered worms such as Bizek. The currently
> available BETA version of Qwik-Fix completely protects against the Bizek
> worm by mitigating the impact of several vulnerabilities it relies on.
> You can download Qwik-Fix at
>
> http://www.qwik-fix.net/
>
> Symantec has labelled this worm W32.Bizex.worm, but has not yet
> published any details about it.
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
> tml
>
> PivX Solutions are currently researching the potential impact of Bizex
> as well as its data gathering intentions. Some of the vulnerabilities
> this worm is exploiting in its effort to spread are:
>
> Microsoft Java virtual machine class loader
> ICQ SCM local file planting
> Microsoft Help CHM vulnerabilities
> ADODB Stream
> Internet Explorer Shell Folders
>
> Interestingly, the shell folder vulnerability was only recently
> categorized as being a serious threat on February 19 in a post to the
> Bugtraq mailing list. This once again demonstrates how malicious
> criminals are more rapidly exploiting vulnerabilities as they are being
> announced.
>
> Our initial analysis has shown that this worm is trying to collect
> credit card details from unsuspecting users, masquerading itself as a
> statement from banks and online trading sites, such as Wells Fargo,
> E*TRADE, American Express, e-gold, Verisign and LLoydsTSB.
>
> It has been linked to websites that are anonymously registered to
> russian individuals, is appareantly created using Microsoft Visual
> Studio and installs a backdoor on compromised machines to be used by
> professional spammers.
>
> Kaspersky has released more details at
>
> http://www.kaspersky.com/news.html?id=4277566
>
> We will keep you updated as more information is uncovered.
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@pivx.com
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: randall perry: "Re: [Full-Disclosure] Empty emails?"
• In reply to: Thor Larholm: "[Full-Disclosure] Fw: [Unpatched] The Bizex worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Fw: [Unpatched] The Bizex worm ... We have all talked about how most viruses and worms that actually spread ... Everything indicates that Bizex is a worm which was created as a hired ... several vulnerabilities and exploits in multiple technologies such as ... (NT-Bugtraq) Fw: [Unpatched] The Bizex worm ... We have all talked about how most viruses and worms that actually spread ... Everything indicates that Bizex is a worm which was created as a hired ... several vulnerabilities and exploits in multiple technologies such as ... (Bugtraq) [Full-Disclosure] Fw: [Unpatched] The Bizex worm ... We have all talked about how most viruses and worms that actually spread ... Everything indicates that Bizex is a worm which was created as a hired ... several vulnerabilities and exploits in multiple technologies such as ... (Full-Disclosure) CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client ... Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a client ... Six security vulnerabilities were found that could lead to various ... on Demand" vulnerable to a spoofing attack due to hard-coded ... (Bugtraq) [VulnWatch] CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client ... Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a client ... Six security vulnerabilities were found that could lead to various ... on Demand" vulnerable to a spoofing attack due to hard-coded ... (VulnWatch)