there's more info at http://www.daemonology.net/ICQworm/worm.txt
It seems it uses the nearly 2 years!! old "icq downloads stuff to a known location" vulnerability http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-07/0210.html Recently made current by Arman Nayyeri, as you can see his post also mentions icq as an attack vector http://www.securityfocus.com/archive/1/348521 which they also use, effectively making this a worm that explots a zero day vulnerability, no patch is available from eighter microsoft or icq, and antivirus signatures are trivially defeated. So it's easy to make variants to this virus Shame on ICQ! ----- Original Message ----- From: "Thor Larholm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 25, 2004 4:12 AM Subject: [Full-Disclosure] Fw: [Unpatched] The Bizex worm > We have all talked about how most viruses and worms that actually spread > in the wild could have been written so much better by any one of us. I > guess someone stepped forward and took the bait. > > Everything indicates that Bizex is a worm which was created as a hired > job. It's primary purpose was to collect banking information and create > an armie of zombie machines. To accomplish this, it exploited a range of > vulnerabilities, the latest of which was published as recently as > February 19th on the Bugtraq mailing list. > > The antivirus companies are finally starting to update their signatures, > hours after Bizex has already infected between 50.000 and 100.000 > machines (Kaspersky). Luckily, the main distribution sites have now been > shut down which has halted the spread but left us with an armie of > zombie machines waiting for new instructions on port 1534. > > New variants of Bizex are expected in the near future. > > Locking down the My Computer zone prevented Bizex from infecting a > Windows system, a feature which is implemented as a demonstratory fix in > the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which > Microsoft is also implementing in the upcomming Windows XP Service Pack > 2, slated for release around June. > > More information about Bizex can be found at > > http://www.kaspersky.com/news.html?id=4277566 > http://www.viruslist.com/eng/viruslist.html?id=1029528 > http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h > tml > http://www.sophos.com/virusinfo/analyses/w32bizexa.html > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044 > > > > Regards > > Thor Larholm > Senior Security Researcher > PivX Solutions > 24 Corporate Plaza #180 > Newport Beach, CA 92660 > http://www.pivx.com > [EMAIL PROTECTED] > Phone: +1 (949) 231-8496 > PGP: 0x5A276569 > 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 > > PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of > Qwik-Fix <http://www.qwik-fix.net> > > -----Original Message----- > From: Thor Larholm > Sent: Tuesday, February 24, 2004 5:31 PM > To: Thor Larholm > Subject: [Unpatched] The Bizex worm > > > > Dear Unpatched subscriber, > > Today a new worm was discovered in the wild, called Bizex. Employing a > multilayered attack, spread and infection approach it spreads through > several vulnerabilities and exploits in multiple technologies such as > email attachments, ICQ instant messaging and HTTP web pages. Some of > these vulnerabilities are without patches from the vendor, raising the > level of potential damage. > > Kaspersky is currently labelling this a global epidemic with more than > 50.000 infections just among ICQ users. > > Likewise, implementing multiple layers of defense can help mitigate the > threat posed by multilayered worms such as Bizek. The currently > available BETA version of Qwik-Fix completely protects against the Bizek > worm by mitigating the impact of several vulnerabilities it relies on. > You can download Qwik-Fix at > > http://www.qwik-fix.net/ > > Symantec has labelled this worm W32.Bizex.worm, but has not yet > published any details about it. > > http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h > tml > > PivX Solutions are currently researching the potential impact of Bizex > as well as its data gathering intentions. Some of the vulnerabilities > this worm is exploiting in its effort to spread are: > > Microsoft Java virtual machine class loader > ICQ SCM local file planting > Microsoft Help CHM vulnerabilities > ADODB Stream > Internet Explorer Shell Folders > > Interestingly, the shell folder vulnerability was only recently > categorized as being a serious threat on February 19 in a post to the > Bugtraq mailing list. This once again demonstrates how malicious > criminals are more rapidly exploiting vulnerabilities as they are being > announced. > > Our initial analysis has shown that this worm is trying to collect > credit card details from unsuspecting users, masquerading itself as a > statement from banks and online trading sites, such as Wells Fargo, > E*TRADE, American Express, e-gold, Verisign and LLoydsTSB. > > It has been linked to websites that are anonymously registered to > russian individuals, is appareantly created using Microsoft Visual > Studio and installs a backdoor on compromised machines to be used by > professional spammers. > > Kaspersky has released more details at > > http://www.kaspersky.com/news.html?id=4277566 > > We will keep you updated as more information is uncovered. > > > > Regards > > Thor Larholm > Senior Security Researcher > PivX Solutions > 24 Corporate Plaza #180 > Newport Beach, CA 92660 > http://www.pivx.com > [EMAIL PROTECTED] > Phone: +1 (949) 231-8496 > PGP: 0x5A276569 > 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 > > PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of > Qwik-Fix <http://www.qwik-fix.net> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
