Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through the Kazaa file sharing network. The worm also downloads from a Web site and installs a backdoor trojan to the system.
The worm itself is a Windows PE executable file about 4KB in size(when compressed by FSG, the decompressed size is about 20KB) and written in VisualBasic.
While installing the worm copies itself to the Windows system directory with the "MicrosoftUpdate.com" name and registers this file in the system registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Windows Update = %SystemDir%\MicrosoftUpdate.com
where %SystemDir% is the Windows System directory path.
The worm also creates a system registry key where it keeps its counter:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Startup = %counter%
the %counter% is set to '1', and is increased with each each worm start. Depending on this counter the worm activates its spreading routines.
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book. Ifected messages have following field text:
Subject: Important: Microsoft Windows Patch For Xp,2k,ME,98,95.
- Microsoft just release this patch for all versions of Microsoft Windows.
- This update patches many of the recent vulnerabilities!
- It is recommended that you patch your operating system now. Though it is not required.
*Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update
The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.
The worm creates a subdirectory with the "system16" name in the Windows system directory and copies itself to there with the names:
kmd.exe Game Trainer.exe Hacker.exe icq2003a.exe Game.exe Hacks.exe icq2003b.exe App.exe xbox Hacker.exe icq2003Final.exe App Crack.exe Ps2 Bios Emulation.exe icq2002a.exe Cracker.exe xbox Bios Hack.exe icq2003a.exe Games.exe Burn ps2 Games To A Single CD-R.exe icq crack.exe Games trainer.exe Burn ps2.exe aim crack.exe Trainer.exe burn xbox.exe icq lite.exe Cheat.exe burn dreamcast.exe imeshv2.exe Game Hack.exe
The "system16" directory is then registered as Kazaa file sharing resource.
Installing the Backdoor Trojan
The worm downloads the "Backdoor.Slackbot" from the http://www.wawater.com Web site, stores it to the "c:\unxrt.exe" file and executes it.
Securelist (Kaspersky Labs), Email-Worm.Win32.Burnox.a