Fandom

Malware Wiki

Burnox

1,327pages on
this wiki
Add New Page
Comments0 Share

Email-Worm.Win32.Burnox or Burnox is a worm that spreads through email on Microsoft Windows (Win32).

DetailsEdit

Burnox is a worm virus spreading via the Internet as an attachment in infected emails as well as spreading through the Kazaa file sharing network. The worm also downloads from a Web site and installs a backdoor trojan to the system.

The worm itself is a Windows PE EXE file about 4KB in size(when compressed by FSG, the decompressed size is about 20KB) and written in VisualBasic.

InstallingEdit

While installing the worm copies itself to the Windows system directory with the "MicrosoftUpdate.com" name and registers this file in the system registry auto-run key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

  Windows Update = %SystemDir%\MicrosoftUpdate.com

where %SystemDir% is the Windows System directory path.

The worm also creates a system registry key where it keeps its counter:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

  Startup = %counter%

the %counter% is set to '1', and is increased with each each worm start. Depending on this counter the worm activates its spreading routines.

Spreading: EMailEdit

To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book. Ifected messages have following field text:

Subject:   Important: Microsoft Windows Patch For Xp,2k,ME,98,95.

Attachment: MicrosoftUpdate.com

Microsoft just release this patch for all versions of Microsoft Windows.
This update patches many of the recent vulnerabilities!
It is recommended that you patch your operating system now. Though it is not required.
*Please Note* This is not the actual Microsoft patch. The attached program is Microsoft Update

The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.

Spreading: KaZaaEdit

The worm creates a subdirectory with the "system16" name in the Windows system directory and copies itself to there with the names:

   kmd.exe            Game Trainer.exe    Hacker.exe                         

   icq2003a.exe       Game.exe            Hacks.exe                          

   icq2003b.exe       App.exe             xbox Hacker.exe                    

   icq2003Final.exe   App Crack.exe       Ps2 Bios Emulation.exe             

   icq2002a.exe       Cracker.exe         xbox Bios Hack.exe                 

   icq2003a.exe       Games.exe           Burn ps2 Games To A Single CD-R.exe

   icq crack.exe      Games trainer.exe   Burn ps2.exe                       

   aim crack.exe      Trainer.exe         burn xbox.exe                      

   icq lite.exe       Cheat.exe           burn dreamcast.exe                 

   imeshv2.exe        Game Hack.exe

The "system16" directory is then registered as Kazaa file sharing resource.

Installing the Backdoor TrojanEdit

The worm downloads the "Backdoor.Slackbot" from the http://www.wawater.com Web site, stores it to the "c:\unxrt.exe" file and executes it.

MediaEdit

SourcesEdit

Securelist (Kaspersky Labs), Email-Worm.Win32.Burnox.a

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.