Name: Worm.Win32.Busa Category: Viruses Description: Details Worm.Win32.Busan The Busan worm spreads through networks by copying itself to all accessible network resources. The worm is a Windows application (PE EXE-file) that is compressed with UPX and has a size 14KB. Its code is written in the C ++ programming language. When run the worm sends out a message via ICQ to UIN the author, and then proceeds to copy itself to the Windows directory under the name files32.sys. The Busan worm also copies to the Windows directory a file named mh32.dll which is a keyboard 'interceptor'. Then the worm tries to copy itself under the name auto.exe to the following directories: C:WINDOWSAll UsersStart MenuProgram FilesStartUp C:WINDOWSAll Users?' ?-R? ?-Ï?ÁR?Á Ì??×R ?ÁÇ? Because of a mistake in its code it fails to successfully copy itself to the above directories. Busan then probes IP-addresses and copies itself to all accessible network resources. Next the worm registers itself in the system registry key: [HKEY_CLASSES_ROOTexefileshellopencommand] @="files32.sys "%1" %*" This entry causes the worm to be run anew each time any EXE-file is opened. While running the worm collects all accessible names and passwords to the mail boxes registered in the system and stores them in the C:WINDOWSlmhost.log file. After this is done Busan tries to send this file to the malefactor (worm's master). The same file contains a complete record of keyboard strokes recorded by the keyboard interceptor represented by the file mh32.dll. The Busan worm tries to download a file named worm31.bmp from an Internet web-site but cannot as the page has since been removed.