W32/Buchon.B Worm

 Information about the W32/Buchon.B Worm:

W32/Buchon.B is an email worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address, picked up from the infected system.

The subject of the infected email will be;

Mail Delivery failure - <target user email>

The body of the infected email will be;

If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.tec.govt.nz/inbox/security/read.asp?sessionid-23368
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

The infected email has the following attachment;

message txt<random number of spaces>mcafee.com

Upon execution of the infected attachment, the worm copies itself as CSRSS.EXE in root of the Windows installed drive. The worm also creates a log file CSRSS.BIN in root of the Windows installed drive.

The worm modifies registry at the following location to run itself at the startup;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The worm creates the mutex, BABA_FEDCBA9876543210_BABA to ensure that only one instance of the worm is running in memory.

To propagate itself, the worm scans the folder inbox and the files having the following extensions and collects all the available email addresses from the infected system;

.dat, .wab, .tbb, .dbx, .eml, .mdb, .mbx.

The worm uses its own SMTP engine to mail copies of itself to the collected email addresses.

This worm first appeared on 23rd October, 2004.

 Other names of W32/Buchon.B Worm:

This Worm is also known as WORM_BUCHON.B, Worm/Buchon.B, I-Worm/Buchon.B, Win32/Netsky-AF, Win32/Buchon.B@mm.