Bigbrother | |
---|---|
Type | Email worm |
Creator | Lord Yup |
Date Discovered | 2002.08.01 |
Place of Origin | Poland |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 12,800 bytes |
Bigbrother, also known as Bibro, Livecam or Sitlund (or some variation on these names) is a worm by Lord Yup.
Behavior
Bigbrother arrives in an email as the attachment "BigBrother_Live_Camera.exe". The sender will be "BIGBROTHER TVN POLSKA" <bigbrother@bigbrother.tvn.com.pl> and the subject is "BIGBROTHER SHOW !" The message body is in Polish:
Teraz mozesz ogladac BIG BROTHER SHOW za pomoca komputera! Jak to
zrobic? Wystarczy ze uruchomisz specjalny program
(BIGBROTHER_LIVE_CAMERA.EXE) , ktory zostal dolaczony do wiadomosci.
Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie
osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda
nagrody (telewizory, wieze stereo,
komputery ...i wiele ,wiele innych). Prosimy przysylac
opinie i komentarze na temat programu.
Zyczymy milej zabawy:
Redakcja programu.
Translation:
Now you can watch BIG BROTHER on your computer! How to
do it? Just start with a special program
(BIGBROTHER_LIVE_CAMERA.EXE), which is attached to the message.
In addition, with the help of this tool you can nominate a contestant
to leave the Big Brother house. Each month, a prize will be chosen
at random (TVs, stereos,
computers ... and many, many others). Please send
reviews and comments on the program.
We hope you have fun:
Editors of the program.
When Bigbrother is executed, it copies itself to the Windows folder's temporary folder as 000000s.b64 and to the system folder as b1g_brother.exe. It adds the line " run=C:\%System%\b1g_brother.exe" to the Win.ini file, ensuring it will start up when the computer is started.
The worm creates the file 00000b.rat, which is in email format. It searches the registry for information on the system's SMTP server and the current user from the registry. It then searches all *.htm* files in the user's personal folders, and sends a copy of itself to all email addresses it finds.
Effects
There was one reported wild infection. The worm probably did not venture far from Lord Yup's lab.
Sources
Lord Yup. Bigbrother Source.
Yana Liu. Symantec.com, W32.Siltund.Worm.