Worm:Win32/Buchon.G@mm

Worm:Win32/Buchon.G@mm is a mass-mailing e-mail worm that includes a proxy component that can respond to commands from attackers to download files from remote Web sites.

 

Worm:Win32/Buchon.G@mm copies itself to C:\csrss.exe and modifies the registry to load this copy of itself when Windows is started:

 

Adds value: Windowsupdate Service

With data: c:\csrss.exe
To subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

Worm:Win32/Buchon.G@mm also creates a non-infecting file, C:\csrss.bin, which contains Web site URLs and IP address information.

 

The worm includes a Trojan component to act as a proxy and download files from the Internet upon instruction from attackers.

 

Worm:Win32/Buchon.G@mm obtains SMTP server information by querying the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\0000000\SMTP Server

The worm also queries the following DNS servers:

mx7.earthlink.net
mx5.prodigy.net
mx-ha01.web.de
mx02.mindspring.com
mx2.optonline.net
pbimail2.prodigy.net
mx8.earthlink.net
sbcmail2.prodigy.net
mailprove.netvigator.com
mailhost.hetnet.nl
mx4.earthlink.net
mx02.peoplepc.com
128.214.46.64
216.234.246.150

 

Worm:Win32/Buchon.G@mm searches files with the following extensions on local hard drives in order to obtain e-mail addresses. The worm sends copies of itself to the addresses discovered.

.dbx
.wab
.mbx
.eml
.mdb
.tbb
.txt
.html
.htm
.doc
.rtf
.cgi
.php
.asp
inbox
.dat