60 seconds before shutdown – again

Malware descriptions

17 Aug 2005

minute read

Authors

Roel Schouwenberg

We’ve decided to rename Net-Worm.Win32.Small.d to Net-Worm.Win32.Bozori.a.

Infection reports are coming mostly from the USA, with some high-profile targets being hit.

Shortly after Bozori.a was detected we found Bozori.b. This variant doesn’t seem very widespread at the moment.

Instead of wintbp.exe, Bozori.b has wintbpx.exe as the filename. Otherwise the two variants don’t differ much, both around 10KB in size.

Bozori.b’s MD5: 7ef9b103143c15563ee386846fd4db77

The worm makes use of an exploit to get introduced to the system. And this exploit is a buffer overflow which is likely to result in a crash of services.exe.
This will lead to the infamous “System Shutdown” pop-up box made notorious by Lovsan and Sasser.

With only 60 seconds on the clock, administrators will have a tough time cleaning this mess up.

Authors

Roel Schouwenberg

60 seconds before shutdown – again

Latest Posts

Latest Webinars

Reports

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.

60 seconds before shutdown – again

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

ZeroLocker won’t come to your rescue

A Post-PC BlackHat?

Adobe Updates April 2014

Trust. Trust. Trust

Adobe’s First Patch Tuesday of 2014

Analysis of Elpaco: a Mimic variant

Ymir: new stealthy ransomware in the wild

QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns

New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency

Lumma/Amadey: fake CAPTCHAs want to know if you’re human

Latest Posts

APT trends report Q3 2024

Consumer and privacy predictions for 2025

Analysis of Elpaco: a Mimic variant

Advanced threat predictions for 2025

Latest Webinars

Inside the Dark Web: exploring the human side of cybercriminals

The Cybersecurity Buyer’s Dilemma: Hype vs (True) Expertise

Cybersecurity’s human factor – more than an unpatched vulnerability

Building and prioritizing detection engineering backlogs with MITRE ATT&CK

Reports

APT trends report Q3 2024

Beyond the Surface: the evolution and expansion of the SideWinder APT group

BlindEagle flying high in Latin America

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Subscribe to our weekly e-mails