dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
507

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

Trend Micro: WORM_BACKZAT.A

WORM_BACKZAT.A - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BACKZAT.A

Description:
This destructive worm propagates via Internet Relay Chat (IRC), AOL Instant Messenger (AIM) and the popular peer-to-peer file sharing network of Kazaa. On Sundays, it attempts to overwrite the boot sector of the hard drive. It is also designed to delete files in certain folders that are mostly associated with antivirus programs.

This UPX–compressed worm is written and compiled in Visual C++ and runs in Windows 95, 98, ME, NT, 2000, and XP systems.

Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
BatzBack = “%Windows%\BatzBack.scr”
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.
Close Registry Editor.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BACKZAT.A, BAT_BACKZAT.A, IRC_BACKZAT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Further Technical Details: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BACKZAT.A&VSect=T

Installation
Upon execution, this worm drops a copy of itself in the Windows and Windows System folders as BatzBack.scr.

Note: %Windows% is the default Windows folder which is usually C:\Windows for Windows 95, 98, ME and XP systems and C:\WINNT for Windows NT and 2000. %System% refers to the Windows system folder which is usually C:\Windows\System for Windows 95, 98 and ME , C:\Windows\System32 for Windows XP systems and C:\WINNT\System32 for Windows NT and 2000.

Then, it creates an autorun entry in the registry so that it automatically executes at every Windows Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
BatzBack = “%Windows%\BatzBack.scr”

It also drops a destructive batch file Trojan as BatzBack.bat in the Windows folder. This batch file facilitates the worm's destructive routine of overwriting the boot sector of the hard drive and is detected by Trend Micro as BAT_BACKZAT.A.

Kazaa Propagation
After installing itself, this worm first spreads via the Kazaa peer-to-peer network. It queries this registry key for the default shared download folder:

HKEY_CURRENT_USER\Software\Kazaa\

Then, it drops a copy of itself in the download folder as EminEmSpearsBritney.Scr, making itself readily available to other Kazaa users.

Propagation via IRC
To spread via Internet Relay Chat (IRC), the worm searches for the mIRC folder by querying this registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\mIrc

Then, it creates or overwrites the mIRC initialization file, SCRIPT.INI, in the mIRC folder with malicious codes that will automatically send a copy of the worm to IRC users that joins the channel where the infected user is in.

The malicious IRC script is detected by Trend Micro as IRC_BACKZAT.A.

Propagation via AIM
In addition, this worm also drops a copy of itself as BuddyShare.exe in the default AIM folder which is hardcoded in its body:

\Program Files\AIM95\ BuddyShare.exe

Destructive Routines
This worm runs the dropped malicious batch file for its destructive routines. Upon execution of this batch file, it attempts to copy the dropped copy of the worm to mapped drives starting from G: to Z:.

This batch file is also designed to overwrite the boot sector of the hard drive on Sundays.

It also attempts to delete all files in the following folders:

\Progra~1\Norton~1\*.*
\Progra~1\Norton~2\*.*
\Progra~1\PandaS~1\*.*
\Progra~1\McAfee\VirusScan\*.*
\Progra~1\TrendM~1\*.*
\Progra~1\ZoneLa~1\*.*
\Progra~1\Grisoft\\AVG6\*.*
\Progra~1\AntiVi~1\*.*
\Progra~1\QuickH~1\*.*
\Progra~1\FWIN32\*.*
\Progra~1\FindVirus\*.*
\eSafen\*.*
\f-macro\*.*
\TBAVW95\*.*
\VS95\*.*
\AntiVi~1\*.*
\ToolKit\FindVirus\*.*
\PC-Cil~1\*.*

Other Details
This worm is compressed with the UPX compression utility and is written and compiled in Visual C++, a high-level programming language.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

Detected by Sophos: »www.sophos.com/virusinfo ··· atk.html

Kanebrake
Island Time
Premium Member
join:2002-03-12

Kanebrake to Randy Bell

Premium Member

to Randy Bell
Click for full size
Detected by RAV but no definition!

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

said by Kanebrake:
Detected by RAV but no definition!
Join the club!

Symantec: W32.HLLW.Backzat.H
{no info yet at virus encyclopedia)

Kaspersky: I-Worm.BatzBack.i
{no info yet at virus encyclopedia)

»/r0/do ··· List.jpg
Randy Bell

Randy Bell

Premium Member

Computer Associates has several variants listed:

Computer Associates Virus - BAT.Backzat
Computer Associates Virus - Win32.Backzat.A
Computer Associates Virus - Win32.Backzat.B
Computer Associates Virus - Win32.Backzat.C
Computer Associates Virus - Win32.Backzat.D
Computer Associates Virus - Win32.Backzat.E
Computer Associates Virus - Win32.Backzat.F

and so does Symantec in its virus encyclopedia:

Symantec Security Response - W32.HLLW.Backzat
Symantec Security Response - W32.Backzat.Worm
Symantec Security Response - W32.HLLW.Backzat.B
Symantec Security Response - W32.HLLW.Backzat.C
Symantec Security Response - W32.HLLW.Backzat.F
Symantec Security Response - W32.HLLW.Backzat.G

finally there is Trend Micro:

WORM_BACKZAT.A - Description and solution
IRC_BACKZAT.A - Description and solution
BAT_BACKZAT.A - Description and solution
WORM_BACKZAT.B - Description and solution
BAT_BACKZAT.B - Description and solution
IRC_BACKZAT.B - Description and solution

[text was edited by author 2003-06-12 01:31:11]