Fandom

Malware Wiki

Bmerw

1,319pages on
this wiki
Add New Page
Comments0 Share

This threat is detected with the 4127 DATs, or higher, with various names. The 4215 DATs, and higher, detect it as Bat/a.

This is an IRC spreading worm and intended mass mailer. It is intended to arrive in an email message containing the following information, but due to bugs the mailing routine fails:

Subject: Upgrade to Windows XP

Body: Good news from Microsoft. Click the attachment for your FREE Windows XP. Upgrade to Windows XP now.

Attachment: UpgradeToWindowsXP.bat

When run, the batch file creates several other files.

Filename Description Detected name
C:\MIRC\SCRIPT.INI The dropped script.ini contains instructions to send the worm to all users upon joining the channel of the infected user. MIRC/Generic
c:\WINDOWS\
UpgradeToWindowsXP.bat
A copy of the worm; fails to copy due to bug. Bat/a
c:\XP\xp.bat A copy of the worm; fails to copy due to bug. Bat/a
c:\XPUpdate.reg Contains instructions to create a registry run key to load the worm at startup: *HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\PX=c:\XP\xp.bat
Bat/Bmerw.reg
c:\X.vbs A VBScript file that contains instructions to email the worm to all users in the Outlook Address book (fails due to bug), go to the web address "http://www.yahooka.com" and use PING to DoS attack "www.hotmail.com". VBS/Generic@MM

Additionally, the batch file attempts to overwrite McAfee DAT files with itself. This action will fail if the DAT files are in use.

AliasesEdit

  • Worm/Bat.Bmerw
  • Worm:BAT/Bmerw
  • Worm/BAT/IRC.Bmerw.Generic
  • Worm/IRC:Bmerw-Gen!
  • IRC:Bmerw.reg.worm
  • Mal/BAT-Generic.Bmerw
  • Bmerw.worm
  • Bmerw.A
  • Worm:Win32/OverDAT

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.