Some vendors have issued alerts for W32/Buchon.c@MM, a mass-mailing worm. It bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests target email addresses from the victim machine
spoofs the From: address
drops a trojan (keylogging and proxy) to the victim machine
The worm harvests target email addresses from files on the victim machine with the following extensions:
.dbx
.wab
.mbx
.eml
.mdb
.tbb
.txt
RNA interference - Wikipedia, the free encyclopedia::
An adult C. elegans worm, grown under RNAi suppression of a nuclear hormone Nat Struct Mol Biol 13 (1): 13–21. PMID 16369484. Buchon N, Vaury C (2006)
http://en.wikipedia.org/?title=RNA_interferenceHOME |
.html
.htm
.doc
.rtf
www.esecurityplanet.com/alerts/print.php/3458461::
1/13: Buchon-C Worm Has Several Traits. By. January 13, 2005. Some vendors have issued alerts for W32/Buchon.c@MM, a mass-mailing worm.
http://www.esecurityplanet.com/alerts/print.php/3458461HOME |
RNAi - Information at Halfvalue.com::
as the nematode worm Caenorhabditis elegans, the fruit fly Drosophila Nat Struct Mol Biol 13 (1): 13–21. PMID 16369484. Buchon N, Vaury C (2006)
http://www.halfvalue.com/wiki.jsp?topic=RNAiHOME |
.cgi
.php
.asp
inbox
.dat
Outgoing messagees are constructed as follows:
From: Spoofed
Subject: Mail Delivery failure - (insert target email address)
More information can be found at this McAfee page.
According to Trend Micro, Worm_Buchon.C is a variant of Worm_Buchon and mainly propagates via email. It uses its built-in Simple Mail Tranfer Protocol engine, which allows it to send email without having to use other email applications like Outlook Express.
This worm obtains its target recipients from an infected system, either by searching a users inbox, or through parsing files with certain extension names. Using its own Simple mail transfer Protocol (SMTP) engine, this worm mass-mails copies of itself to all harvested email addresses. As a general rule, users should avoid opening the attachments of unsolicited email.
For system administrators who wish to block the worm email, the email message it sends out contains the following details:
From:
Subject: Mail Delivery failure -
Message body:
If the message will not displayed automatically,
you can check original in attached message.txt
Failed message also saved at:
www.$HOST$/inbox/security/read.asp?sessionid-%d
(check attached instructions)
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
Attachment:
*.COM
*.EXE
(Note: The asterisk (*) is a wildcard character representing zero or more characters. Thus, *.* represents all files and folders, and *.SYS. The attachment is a copy of this worm.
This worm disguises itself as the attached original message in a mail delivery failure notice. This may trick users into opening the said file, thereby running this worm.
To check for infection, desktop users can check their root directory, which is usually C:, for the following files:
CSRSS.BIN
CSRSS.EXE
Network administrators can also check for increased mail server activity and SMTP traffic.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Pre-Article:1/13: Wurmark-E Worm Arrives As Zip Attachment
Next-Article:1/13: Downloader-UA.a a Multimedia File |