WORM_BACKZAT.A - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BACKZAT.A
Description:This destructive worm propagates via Internet Relay Chat (IRC), AOL Instant Messenger (AIM) and the popular peer-to-peer file sharing network of Kazaa. On Sundays, it attempts to overwrite the boot sector of the hard drive. It is also designed to delete files in certain folders that are mostly associated with antivirus programs.
This UPXcompressed worm is written and compiled in Visual C++ and runs in Windows 95, 98, ME, NT, 2000, and XP systems.
Removing Autostart Entries from the RegistryRemoving autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
BatzBack = %Windows%\BatzBack.scr
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.
Close Registry Editor.
Additional Windows ME/XP Cleaning InstructionsRunning Trend Micro AntivirusScan your system with Trend Micro antivirus and delete all files detected as WORM_BACKZAT.A, BAT_BACKZAT.A, IRC_BACKZAT.A. To do this, Trend Micro customers must download the
latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros
free online virus scanner.
Further Technical Details: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BACKZAT.A&VSect=T
InstallationUpon execution, this worm drops a copy of itself in the Windows and Windows System folders as BatzBack.scr.
Note: %Windows% is the default Windows folder which is usually C:\Windows for Windows 95, 98, ME and XP systems and C:\WINNT for Windows NT and 2000. %System% refers to the Windows system folder which is usually C:\Windows\System for Windows 95, 98 and ME , C:\Windows\System32 for Windows XP systems and C:\WINNT\System32 for Windows NT and 2000.
Then, it creates an autorun entry in the registry so that it automatically executes at every Windows Startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
BatzBack = %Windows%\BatzBack.scr
It also drops a destructive batch file Trojan as BatzBack.bat in the Windows folder. This batch file facilitates the worm's destructive routine of overwriting the boot sector of the hard drive and is detected by Trend Micro as BAT_BACKZAT.A.
Kazaa PropagationAfter installing itself, this worm first spreads via the Kazaa peer-to-peer network. It queries this registry key for the default shared download folder:
HKEY_CURRENT_USER\Software\Kazaa\
Then, it drops a copy of itself in the download folder as EminEmSpearsBritney.Scr, making itself readily available to other Kazaa users.
Propagation via IRCTo spread via Internet Relay Chat (IRC), the worm searches for the mIRC folder by querying this registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\mIrc
Then, it creates or overwrites the mIRC initialization file, SCRIPT.INI, in the mIRC folder with malicious codes that will automatically send a copy of the worm to IRC users that joins the channel where the infected user is in.
The malicious IRC script is detected by Trend Micro as IRC_BACKZAT.A.
Propagation via AIMIn addition, this worm also drops a copy of itself as BuddyShare.exe in the default AIM folder which is hardcoded in its body:
\Program Files\AIM95\ BuddyShare.exe
Destructive RoutinesThis worm runs the dropped malicious batch file for its destructive routines. Upon execution of this batch file, it attempts to copy the dropped copy of the worm to mapped drives starting from G: to Z:.
This batch file is also designed to overwrite the boot sector of the hard drive on Sundays.
It also attempts to delete all files in the following folders:
\Progra~1\Norton~1\*.*
\Progra~1\Norton~2\*.*
\Progra~1\PandaS~1\*.*
\Progra~1\McAfee\VirusScan\*.*
\Progra~1\TrendM~1\*.*
\Progra~1\ZoneLa~1\*.*
\Progra~1\Grisoft\\AVG6\*.*
\Progra~1\AntiVi~1\*.*
\Progra~1\QuickH~1\*.*
\Progra~1\FWIN32\*.*
\Progra~1\FindVirus\*.*
\eSafen\*.*
\f-macro\*.*
\TBAVW95\*.*
\VS95\*.*
\AntiVi~1\*.*
\ToolKit\FindVirus\*.*
\PC-Cil~1\*.*
Other DetailsThis worm is compressed with the UPX compression utility and is written and compiled in Visual C++, a high-level programming language.