We have all talked about how most viruses and worms that actually spread in the wild could have been written so much better by any one of us. I guess someone stepped forward and took the bait. Everything indicates that Bizex is a worm which was created as a hired job. It's primary purpose was to collect banking information and create an armie of zombie machines. To accomplish this, it exploited a range of vulnerabilities, the latest of which was published as recently as February 19th on the Bugtraq mailing list. The antivirus companies are finally starting to update their signatures, hours after Bizex has already infected between 50.000 and 100.000 machines (Kaspersky). Luckily, the main distribution sites have now been shut down which has halted the spread but left us with an armie of zombie machines waiting for new instructions on port 1534. New variants of Bizex are expected in the near future. Locking down the My Computer zone prevented Bizex from infecting a Windows system, a feature which is implemented as a demonstratory fix in the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which Microsoft is also implementing in the upcomming Windows XP Service Pack 2, slated for release around June. More information about Bizex can be found at http://www.kaspersky.com/news.html?id=4277566 http://www.viruslist.com/eng/viruslist.html?id=1029528 http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h tml http://www.sophos.com/virusinfo/analyses/w32bizexa.html http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Thor Larholm Sent: Tuesday, February 24, 2004 5:31 PM To: Thor Larholm Subject: [Unpatched] The Bizex worm Dear Unpatched subscriber, Today a new worm was discovered in the wild, called Bizex. Employing a multilayered attack, spread and infection approach it spreads through several vulnerabilities and exploits in multiple technologies such as email attachments, ICQ instant messaging and HTTP web pages. Some of these vulnerabilities are without patches from the vendor, raising the level of potential damage. Kaspersky is currently labelling this a global epidemic with more than 50.000 infections just among ICQ users. Likewise, implementing multiple layers of defense can help mitigate the threat posed by multilayered worms such as Bizek. The currently available BETA version of Qwik-Fix completely protects against the Bizek worm by mitigating the impact of several vulnerabilities it relies on. You can download Qwik-Fix at http://www.qwik-fix.net/ Symantec has labelled this worm W32.Bizex.worm, but has not yet published any details about it. http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h tml PivX Solutions are currently researching the potential impact of Bizex as well as its data gathering intentions. Some of the vulnerabilities this worm is exploiting in its effort to spread are: Microsoft Java virtual machine class loader ICQ SCM local file planting Microsoft Help CHM vulnerabilities ADODB Stream Internet Explorer Shell Folders Interestingly, the shell folder vulnerability was only recently categorized as being a serious threat on February 19 in a post to the Bugtraq mailing list. This once again demonstrates how malicious criminals are more rapidly exploiting vulnerabilities as they are being announced. Our initial analysis has shown that this worm is trying to collect credit card details from unsuspecting users, masquerading itself as a statement from banks and online trading sites, such as Wells Fargo, E*TRADE, American Express, e-gold, Verisign and LLoydsTSB. It has been linked to websites that are anonymously registered to russian individuals, is appareantly created using Microsoft Visual Studio and installs a backdoor on compromised machines to be used by professional spammers. Kaspersky has released more details at http://www.kaspersky.com/news.html?id=4277566 We will keep you updated as more information is uncovered. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
