'Bizex' worm attacks ICQ users

24 Feb 2004
Virus News


First global epidemic of an ICQ worm detected

Kaspersky Lab has detected Bizex, a new Internet worm which caused the first global epidemic among users of ICQ, the Internet instant messaging system. At the moment, messages about infection are coming in from almost all corners of the globe. A preliminary estimate is that approximately 50,000 are infected. A computer becomes infected if the user visits a hacker web-site. Invitations to visit this site are being circulated by ICQ.



As camouflage, when the web-site is viewed, the user is shown the Joe Cartoon site; Joe Cartoon is the creator of a popular American cartoon series. At the same time, the malicious program attacks the computer on two fronts: firstly, by using a breach in Internet Explorer, and secondly, by using a breach in Windows. The result of this is that a special file is downloaded to the computer, without the user noticing anything; this file downloads the file which contains Bizex and launches it on the victim computer. Once this has been done, Bizex begins the process of infecting the victim computer. It creates a folder named SYSMON in the Windows system directory, copies itself to this folder under the name SYSMON.EXE and registers this file in the system registry auto-run key. The worm will therefore be uploaded to the computer memory each time the operating system is started. Once this process is completed, Bizex starts to propagate using ICQ. The worm extracts a number of system libraries which are used with the instant messaging system from itself, and installs them in the Windows system directory. Using these libraries, Bizex gains access to the ICQ contact list, disconnects the active ICQ client, and establishes an new connection to the server in the name of the user of the infected machine. It then sends, as if from the user, a link to the web site shown above to all contacts found. It should be noted that the worm only attacks original ICQ programs (with the exception of Web ICQ), and alternative instant messaging systems, such as Miranda and Trillian, are immune. Bizex has a range of payloads, all of which are dangerous, and which can lead to the leaking of confidential information. Specifically, the worm scans the infected computer, and harvests information on payment systems which are installed. Then, unnoticed by the user, it sends these details to a remote anonymous server. The list of vulnerable payment systems includes:
  • Wells Fargo
  • American Express UK
  • Barclaycard
  • Credit Lyonnais
  • Bred.fr
  • Lloyds
  • E-gold
Additionally, Bizex intercepts information transmitted by HTTPS (an encrypted communications protocol, which is used, in particular, to transmit financial transactions) and also log in details for a range of email systems e.g. Yahoo. This information is also sent to the remote anonymous server. 'We see this as a bare-faced attempt to make money. The new method of penetration, the fact that ICQ has not been used for such an attack before, and the wide range of spy functions - this combination is sure to reap huge profits for the author of Bizex, in spite of the fact that the site was closed down four hours after the start of the outbreak,' said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. 'Users should be very cautious about visiting suspicious sites, and should install updates for Internet Explorer and Windows immediately.' Protection against all the malicious components in Bizex has already been added to the Kaspersky Anti-Virus database. A more detailed description of this malicious program can be found in the Virus Encyclopaedia.