BatzBack
BatzBack
Type Multi-vector worm
Creator
Date Discovered 26-DEC-2002
Place of Origin
Source Language Visual C++
Platform Microsoft Windows
File Type(s) .exe
Infection Length 37,376 bytes
Reported Costs

BatzBack, also known as Backzat, Kirbo or Kirbster, is a worm that spreads through IRC. It delete the files of some antivirus programs. Some later variants are known for formatting drives and deleting boot sectors.

Behavior

When BatzBack is executed, it copies itself to the Windows folder, and the System folder as BatzBack.scr, and also adds the file BatzBack.bat to these folders, which it then executes. It then adds BatzBack.scr to the Local Machine Run registry key.

If mIRC is installed, the worm finds and edits the file Script.ini so a copy is distributed to everyone on the same IRC channel as the user.

Batzback.png
Batzback Icons

It searches for files in the following paths and deletes them:

  • \AntiVi~1
  • \eSafen
  • \f-macro
  • \PC-Cil~1
  • Progra~1\AntiVi~1
  • Progra~1\FindVirus
  • Progra~1\FWIN32
  • Progra~1\Grisoft\AVG6
  • Progra~1\McAfee\VirusScan
  • Progra~1\Norton~2
  • Progra~1\PandaS~1
  • Progra~1\QuickH~1
  • Progra~1\TrendM~1
  • Progra~1\ZoneLa~1
  • \TBAVW95
  • \ToolKit\FindVirus
  • \VS95

Variants

The first couple versions of BatzBack appear to be benign. Later variants format hard drives and erase boot sectors. They also add vectors for spreading.

Batzback.B

Batzback.B adds the ability to spread over P2P networks. It also appeared in late December of 2002. This worm weighs in at 69,120 bytes. It uses Microsoft Outlook to send itself to all address book contacts.

batz.b.gif
Batzback.B return message

In addition to email an IRC like the original, it can spread over AIM95 instant messenger, as well as peer networks, including KaZaa, eDonkey2000, BearShare, and Morpheus. It can also spread over network shares.

It can arrive in an email with the subject "Duuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuude", an attachment named "WuFFie.Scr", and a body that says "Whoa man amuse yourself with this funny freakin screen saver"

When run, it copies WuFFie.Scr to the Windows and Windows System folder. This file will be added to the Local Machine run registry key, as well as the RunServices key.

It also looks for the KaZaa registry key, HKCU\Software\KaZaa\Transfer\DlDir0 to determine the KaZaA folder. If the worm finds the key, it copies itself to the follwing locations

  • C:\My Downloads\EminEmSpearsBritney.Scr
  • C:\Program Files\ICQ\Shared Files\EminEmSpearsBritney.Scr
batz.bb.gif
Batzback.X error message
  • C:\Program Files\EDonkey2000\Incoming\EminEmSpearsBritney.Scr C
  • C:\Program Files\BearShare\Shared\EminEmSpearsBritney.Scr
  • C:\Program Files\Morpheus\My Shared Folder\EminEmSpearsBritney.Scr
  • [KaZaa transfer folder] \EminEmSpearsBritney.Scr

It will also copy itself to the folder AIM95 in Program Files as BuddyScreenSaver.Scr

It also searches for mapped drives with letters from G: to Z: and on finding them, places a copy of itself as WuFFie.Scr at the root of the drive.

It creates its own Script.ini file and if it finds mIRC installed on the system, it will overwrite the original Script.ini with this version. This enables it to send itself to every user on the same IRC channel as the infected user.

batz.bbb.gif
Dedication to Christina Aguilera

BatzBack.B creates the file WuFFie.bat in the Windows folder. This file performs the email spreading routine, though this feature contains some bugs that may cause it to fail.

BatzBack.C

This variant weighs in at 68,608 bytes. It is first mentioned in early January of 2003. This variant also spreads through peer-to-peer networks, adding Grokster to the networks it exploits.

Its subject line is "Heyhey!" and it comes with a short message text of "You already know man, I've seen funny things in my life but this screen saver beats them all, You have to check this out." The attachment is named "BBbLWDB.Scr"

When executed, it makes copies of itself ad Taskmoan.exe in the Windows folder and BBbLWDB.Scr in the system folder.

It displays a fake error message:

Error
This program has encountered an error and needs to
close, please try again. If the problem persists try
restarting your computer.
[ OK ]
Batzd.png
Best wishes!

If it finds the KaZaa registry key, it will copy itself to the following locations:

  • [KaZaa Folder] \Kira Kerner SCREENSAVER.Scr
  • C:\My Downloads\NUDIE SCREENSAVER.Scr
  • C:\Program Files\BearShare\Shared\XBOX EMU REALWORKING.EXE
  • C:\Program Files\EDonkey2000\Incoming\EminEmSpearsBritney.Scr
  • C:\Program Files\Grokster\My Grokster\KOF2K2.zip.EXE
  • C:\Program Files\ICQ\Shared Files\GAMECUBE EMU REALWORKING.EXE
  • C:\Program Files\Morpheus\My Shared Folder\HOT SEXY SCREENSAVER.Scr
batz_message_2.png
Error.

It copies itself as Buddies4Eva.Scr to the AIM95 folder and to shared folders as Taskmoan.exe. Its batch file for email propagation is BBbLWDB.Bat.

On Windows 2K, XP, and NT, it overwrites all .exe files in the folder C:\_RESTORE\Temp with itself as well as all .bat files with with its batch emailer.

On Sunday, it will attempt to format rives D, E, and F.

In addition to the antivirus products deleted by the original version, it adds the following:

  • C:\Progra~1\AvPersonal\*.*
  • C:\Progra~1\Command~1\F-PROT95\*.*
  • C:\Progra~1\Common~1\Symant~1\*.*
  • C:\Progra~1\Common~1\Symant~1\Script~1\*.*
  • C:\Progra~1\Kasper~1\*.*
  • C:\Progra~1\McAfee\McAfee FireWall\*.*
  • C:\Progra~1\Norton~1
  • C:\Progra~1\PandaS~1\PandaA~1\*.*
  • C:\Progra~1\Symantec\*.*
  • C:\Progra~1\TinyPe~1\*.*
  • C:\Progra~1\TrendM~1\Pc-cil~1\*.*
  • C:\Progra~1\Trojan~1\*.*
  • C:\Progra~1\ZoneLa~1\ZoneAlarm\*.*

BatzBack.G

This variant appeared around the 11th of June in 2003. It is 25,088 bytes compressed with UPX and 61,440 bytes uncompressed. It6 uses the name Batzback.scr for the copies of itself it makes in the Windows and System folder. It uses the name enimemspearsbritney.scr in the KaZaa share folder. Its AIM95 name is Buddyshare.exe. The worm sends itself as batzback.scr on IRC if mIRC is installed. BatzBack.H's .bat file is named Batzback.bat and it will be hidden.

On Sunday, it erases the hard drive's boot sector. It also deletes files for the same antivirus programs as previous versions.

BatzBack.H

This variant sometimes goes by the name Kirbo. Its earliest recorded date is the 10th of June 2003 and it is 95,232 bytes long. It propagates, much like previous versions, it propagates over email, IRC, AIM, and peer—to-peer file sharing.

If arriving by email, it will have the subject line of "Fw: Hello there". The text body will be "Hey, I just received a screen saver in the mail and it is really cute. Take a look.". The attachment containing the worm will be CuteKirby.scr.

When run, it displays the same error message as Batzback.C.

KIRBYBMP.BMP
The Kirby Icon.

It replaces all .exe files in the current folder with a copy of itself. This version copies itself as cutekirby.scr and tasksystemdll.exe. It also creates a copy of itself with the name of KIRBSTER.EXE on all local disk drives and network shares. BatzBack.H will not attempt to spread over peer—to-peer networks if it does not find KaZaa installed. It has a separate name for every share folder it copies itself to.

  • KaZaa: Rage Against The Machine - Sleep Now In This Fire.Mp3.Exe
  • Morpheus: PennyWise - Land Of The Free.Mp3.Exe
  • BearShare: Therion - Nifelheim.Mp3.Exe
  • EDonkey2000: Feeder - Under The Weather.Mp3.Exe
  • Grokster: AFI - 6 To 8.Mp3.Exe
  • My Downloads: ePs2e - PS2 Emulator.Exe
  • ICQ: disk doctors file shredder - Iso Ripper.Exe

This version creates a file at the root of the C: drive named KIRBY.BAT. This file creates the files KIRBYBMP.BMP and cutekirby.scr, which it sets respectively as the wallpaper and screensaver. It also creates a file KIRBYWINS.MP3 in the root of the C drive, which runs the theme music from the video game Kirby.

On Mondays, it creates the files KirbyFlood.BAT, KirbyFlood.VBS, and KirbyMail.VBS. The first two call each other in an infinite loop until the system runs out of memory. When this has happened, it displays a message with the text "L0NEwOlf strikes again! W.32.Kirby Fl00der by LONEwOLf.". Executing KirbyFlood.VBS by itself displays the message:

Enter The w0lf
Are you ready? W32.Kirby.Fl00der By L0NEw0lf
[ OK ]

Pressing the [OK] button returns to the same window.

KIRBYMAIL.VBS is supposed to send the worm to the entire address book of the infected user, but fails due to an error in the code.

BatzBack.X

This variant is first recorded around the 21st of January in 2003. It weighs in at 86,048 bytes and is known to some antivirus products as Kirbster. Like previous versions, it propagates over email, file sharing, AIM, and IRC.

If arriving in an email, it will have a subject line of "Fw: Hello there.". The attachment name will be CuteKirby.Scr.

backzat-x-event1aa.png
Batzback.X error message

When executed, this variant displays a fake error message on the screen. It copies itself to the Windows system folder as CuteKirby.Scr and TaskSystemDll.Exe. It adds the files kirbybmp.bmp and Kirby wins.mp3 to the system folder. It adds the file TaskSystemDll.Exe to the Local Machine run registry key. It also attempts to set kirbybmp.bmp as the wallpaper and CuteKirby.Scr as the screensaver.

It will add the following files to the peer-to-peer shared folders:

AFI - 6 to 8.Mp3.exe
Feeder - Under The Weather.Mp3.exe
Therion - Nifelheim.Mp3.exe
PennyWise - Land Of The Free.Mp3.exe
Winiso Will - Iso Ripper.exe
ePs2e - PS2 Emulator.exe
Rage Against The Machine - Sleep Now In This Fire.Mp3.exe.

It uses the name CutiePinkKirby.Scr in the AIM95 folder.

This variant also has a couple payloads that run on Sunday. It deletes .doc and .txt files on the root of the C: drive, the Windows folder, and the System folder. In addition to nearly all the files the previous variants delete in order to attack antivirus products, it also attacks the following:

  • C:\Progra~1\AvPersonal
  • C:\Progra~1\Trojan~1
  • C:\Progra~1\Kasper~1
  • C:\Progra~1\TinyPe~1
  • C:\Progra~1\Zone Is~1\ZoneAlarm
  • C:\Progra~1\Command~1\F-PROT95
  • C:\Progra~1\trend I~1\Pc-cil~1
  • C:\Progra~1\PandaS~1\Panda By~1
  • C:\Progra~1\eSafe\Protect
  • C:\Progra~1\McAfee\McAfee FireWall
  • C:\Progra~1\Common~1\Symant~1\Script~1
  • C:\Progra~1\Common~1\Symant~1
  • C:\Progra~1\Symantec

Effects

Some variants of BatzBack were seen in the wild as late as April 2008.

Sources

VSAntivirus, W32/Backzat. 30-DEC-2002

-, W32/Backzat.B. 30-DEC-2002

-, W32/Backzat.C. 07-JAN-2003

-, W32/Backzat.G. 10-JUN-2003

-, W32/Backzat.H. 11-JUN-2003

Eset, BACKZAT.X. 09-NOV-2009 (many pics)

Virus Bulletin, The WildList, April 2008

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License