W32.Buxth@mm

Printer Friendly Page

Discovered: July 22, 2002
Updated: July 23, 2002 2:11:34 PM
Systems Affected: Windows

W32.Buxth@mm is a mass mailing worm that sends itself to all email addresses it gathers from the user's Outlook Express and Internet Mail Inboxes. It attempts to send the user's .pwl (password list) files to a remote user. The worm also installs a back door server on the compromised host.

Discovered: July 22, 2002
Updated: July 23, 2002 2:11:34 PM
Systems Affected: Windows

W32.Buxth@mmA is a mass mailing worm that sends itself to all email addresses it gathers from the following files:
C:\Windows\Application Data\Microsoft\Outlook Express\Mail\Inbox.idx
C:\Windows\Application Data\Microsoft\Outlook Express\Inbox.idx
C:\Program Files\Internet Mail and News\Defult User\Mail\Inbox.idx

It typically arrives as an email message with the following properties:
From: Buxtehude

Subject: Something about...

Attachment: SETUPW32.EXE

Message Body:
Something about sex
Sex is like nokia I(connecting people),
like nike (just do it),
like pepsi (ask for more),
like coca-cola (enjoy).
Send this message to FRIENDS or you will have 5 years bad sex!
Attached program sends this message to 10 of your random friends

When the attachment is executed, the worm copies itself to the user's Windows startup folder:
c:\Windows\Start Menu\Programs\Startup\BUXTEHUDE.EXE

This path is hardcoded into the worm, so it will only remain persistent on systems using this path (typically Windows 9x based systems).

For the worm to function properly, the file SRVDL32.DLL must be present on the compromised system.

The worm will display the following fake error message:
File SrvDL32.dll not found!

The worm will then connect to the SMTP server SMTP.HOTPOP.COM to perform its mass mailing and send the user's .pwl (Windows password list) file to a remote user. The email containing the .pwl file has the following properties:
To: blabba@hotpop.com

Subject: Somethin' nice

Attachment: <user's .pwl file>

Message Body: Hello, Buxtehude!My name is <username> and please take my pwl file...

The worm also contains a back door server. The back door allows the remote user to perform some of the following actions:
Copy, delete, upload, or download files
View running processes
Terminate processes
Shut down the system
Display messages
View the screen
Log keystrokes
Clear CMOS