W32.Bizex.Worm

W32.Bizex.Worm is a worm that propagates by sending a link to a compromised user's ICQ contacts. The link will be to a page at www.jokeworld.biz. When this page is viewed, a .chm file will be downloaded to the system as MEINE.SCM. The .SCM file extension is associated with ICQ sound schemes. By default, ICQ will save the Startup.wav file included in the SCM file in a known location as described in BID 5247, Mirabilis ICQ Sound Scheme Predictable File Location Vulnerability. The worm then exploits the Microsoft Internet Explorer showHelp CHM File Execution Weakness (BID 9320) in order to execute the IEFUCKER.HTML contained within the CHM file. This HTML file contains code to exploit the Microsoft Internet Explorer Object Type Validation Vulnerability (BID 8456) in order to drop the file WinUpdate.exe to the Startup folder of the system.

The WinUpdate.exe file is a downloader trojan that downloads and executes the worm's main file as:
%Temp%\APTGETUPD.EXE

When this file is executed, the worm creates the following copy of itself:
%System%\Sysmon\Sysmon.exe

It also creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = %System%\Sysmon\Sysmon.exe

It then drops the following files:
%System%\JAVA32.DLL
%System%\JAVAEXT.DLL

These files comprise a keylogger that steals information from websites with the following titles:
Acceso a Banca por Internet
Accueil Bred.fr > Espace Bred.fr
American Express UK - Personal Finance
Banamex.com
baNK
Banque
Banque en ligne
Barclaycard Merchant Services
Collegamento a Scrigno
Commercial Electronic Office Sign On
Credit Lyonnais interacti
CyberMUT
E*TRADE Log On
e-gold Account Access
Home Page Banca Intesa
LloydsTSB online - Welcome
Merchant Administration
Page d'accueil
Secure User Area
SUNCORP METWAY
Tous les produits et services
VeriSign Partner Manager
VeriSign Personal Trust Service
Wells Fargo - Small Business Home Page

Additionally, they will steal HTTPS data transmitted to websites containing the following strings in their URLs:
login.yahoo.com
.passport.

The logged data will be written to the following files:
~PASS.LOG
~KEY.LOG
~POST.LOG

This information is then uploaded via FTP to the server www.ustrading.info.

Summary