11776 (packed with UPX)
Presence of the registry entry:
Vote For Kerry = KillBush.exe
Let BitDefender delete this worm's files
Adrian Gostin BitDefender Antivirus Researcher
The worm spreads using the RPC and LSASS vulnerabilities (addressed in
Microsoft Security Bulletins MS03-026 and MS04-011, respectively);
Upon execution, it does the following:
Tries to create a mutex named BushDie (to prevent itself from infecting
a computer more than once);
Starts two threads used later to transfer itself to other computers being infected:
- one thread listens on TCP port 420 for various control commmands;
- the other thread opens a FTP server on port 9604 used for the actual transfer
of the file;
Starts another two threads used for infecting other computers: one tries to infect
computers vulnerable to RPC vulerability and the other those vulnerable to
Each of these last two threads continuously generates random IP addresses and
scans the computer at each generated address (the remote computer) for
RPC / LSASS vulnerability. If that remote computer is vulnerable, the worm in
the infected computer sends it specially crafted IP packets containing a small
piece of code which will be executed on that remote computer with full
administrator rights. This code opens a shell on a TCP port and listens for
commands. Then, the infected computer sends commands to that shell, causing
it to download the entire worm's code (from the FTP server previously opened
by the worm on the infected computer) and execute it on the remote computer,
thereby finishing the infection process for that IP address.
The worm contains the following unused string in it\'s file:
Hello, LURHQ, Network Associates, F-Secure Corp, and anyone else I left out.
I prefer you call this 'Bushkiller' or 'KillBush', and not something lame. Also, I'd like
to introduce you to the new 'Team Spaz'. F**k NetSky and the like. Bush must go!
Kerry 2004! :-)\'