Simon Willison’s Weblog



27th February 2004

I’m going to try not to turn this in to a blog about Windows security exploits but this one is genuinely interesting in that it actively tries to steal financial information and important passwords. Bizex spreads itself by spamming messages over ICQ advising the recipient to visit a specific URL. When they visit it, Internet Explorer exploits are used to download and execute the main payload which then infects their ICQ program and uses it to message their contacts. The worm also scans their hard drive for information relating to a number of well known financial services which it then uploads to a server via FTP, and it apparently snoops on their browser for any passwords travelling over HTTPS connections as well.

It seems that the sole purpose of this worm was to steal a bunch of cash quickly, and it looks very likely to succeed. The servers used to spread the worm have since been taken offline but you can be sure the person or people behind the worm were smart enough to cover their tracks.

More on Bizex can be found here and here; Thors Larholm’s analysis on BugTraq is particularly insightful.

Previously hosted at