LATimes: Agent.BTZ Might be Concerted Cyber-Attack


The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia[1].

The U.S Central Command is now infected with the worm and a high-classified network has been hit also.

It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:

“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”

This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..

See also:

“U.S Army Infected by Worm”, Jonathan Racicot, Cyberwarfare Magazine, November 11, 2008,

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “Cyber-attack on Defense Department computers raises concerns”, Julian E. Barnes, Los Angeles Times,  November 28, 2008,,0,230046.story (accessed on November 28, 2008)

U.S Army Infected by Worm


Wired reports that the U.S Army network is under assault by a variant of the SillyFDC worm called Agent-BTZ [1]. In order to restrain the infection, the U.S. Strategic Command has ban the use of every portable media on its network, this include USB keys, CDs, flash cards, floppies etc… Both the SIPRNet and NIPRNet are affected by this directive.

The SillyFDC worm infects systems through replication, i.e. by copying itself to various locations such as these folders[2]:

  • %System%
  • %Windir%
  • %Temp%
  • %UserProfile%
  • %ProgramFiles%
  • %SystemDrive%
  • %CommonProgramFiles%
  • %CurrentFolder%

Computer Virus Looming
Computer Virus Looming

It will also try to copy itself to any drive connected to the machine by scanning drives A:\ to Z:\, which is why the U.S Army is banning the use of portable media for the time being.  According to F-Secure who first discovered the worm[3], the variant in question will also create these files[4]:

  • %windir%\system32\muxbde40.dll
  • %windir%\system32\winview.ocx
  • %temp%\6D73776D706461742E746C62FA.tmp
  • %windir%\system32\mswmpdat.tlb

It will then install itself into the registry to make sure the worm starts every time the computer is booted. It will also attempt to download a JPG file from[REMOVED].jpg and create an AUTORUN.INF file on each drive on the computer, which contains the following:

shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM

[RANDOM] is a randomly generated filename for the malicious DLL. Each time a new partition or a new drive is plugged in, Agent.BTZ will infect it immediately.

The SillyFDC worm doesn’t have any payload, as it only replicates itself through systems it finds using physical medias only. But its variant, the Agent.BTZ is a known Trojan dropper. A dropper is the kind of Trojan that will look to download and execute other malware. It’s surprising that it found its way into the U.S Army network. So that might be a tip for any worm/Trojan writer: add physical media replication to your malware like in the good ol’ days before e-mail, as it seems sending it by e-mail or click jacking is pretty well filtered in military networks, but peripherals such as USB keys are still often used by personnel. And this will surely open the eyes of the network admins of the U.S Army: scan anything plugged into the network.

Also, Graham Cluley, senior technology consultant at Sophos advises:

“… that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC”

With whom I agree.


Since so many people asked me about this worm, I looked deeply into Internet and found this code, which seems to be part of the script of the Silly FDC worm (that’s the best I could do for now). This script basically copy files from one directory to another, renames the core of the worm and put it into another directory and add registry keys. I cannot confirm this as I found this on an Indonesian blog, so if anyone can look into this, please let me know. Thank you. Blog :

See also:

“US Army bans USB devices to contain worm”, John Leyden, The Register, November 20, 2008, (accessed on November 20, 2008)

[1] “Under Worm Assault, Military Bans Disks, USB Drives”, Noah Shachtman, Danger Room, Wired, (accessed on November 20, 2008)

[2] “W32.SillyFDC”, Symantec, (accessed on November 20, 2008)

[3] “Troj/Agent-EMB”, Sophos, (accessed on November 20, 2008)

[4] “F-Secure Malware Information Pages: Worm:W32/Agent.BTZ”, F-Secure Corporation, (accessed on November 20, 2008)

First Internet Worm is 20 years old Sunday


In 1988, the computer world faced a new cyber menace that is still very well alive today. The first computer worm, written by a student called Robert Tappan Morris.

From Wikipedia:

“The original intent, according to him, was to gauge the size of the Internet. He released the worm from the Massachusetts Institute of Technology (MIT) to conceal the fact that it actually originated from Cornell. The worm was designed to count how many machines were connected to the Internet. Unknown to Morris, the worm had a design flaw. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, fourteen percent of the time, no matter the response to the infection-status interrogation.”

Infection Map of the Code Red Worm
Infection Map of the Code Red Worm

Nowadays, worms are notorious for spreading malicious payloads across the entire Internet. It also known as an extremely efficient cyber weapon to mass exploit vulnerabilities on a large scale. Popular worms include Code Red, in 2001, which infected up to 359 000 machines[1], Klez, Blaster, Sasser are also notorious computer worms. Here is a table of notorious worms from the last decade:



Damage ($US)

CIH 1998 $20 to $80 million
Melissa 1999 $1 billion
ILoveYou 2000 $5.5 billion to $8.7 billion in damages; ten percent of all Internet-connected computers hit
Code Red 2001 $2 billion; a rate of $200 million in damages per day
SQL Slammer 2003 Shut down South Korea’s online capacity for 12 hours; affected 500,000 servers worldwide
Blaster 2003 between $2 and $10 billion; hundreds of thousands of infected PCs
Sobig 2003 500,000 computers worldwide; as much as $1 billion in lost productivity
Sasser 2004 tens of millions of dollars; shut down the satellite communications for some French news agencies; several Delta airline flights were cancelled; shut down numerous companies’ systems worldwide
MyDoom 2004 Slowed global Internet performance by 10 percent and Web load times by up to 50 percent
Bagle 2004 Tens of millions of dollars

Table 1.0 – Top 10 Computer Worms[2]

See also:

Morris worm turns 20: Look what it’s done“, Carolyn Duffy Marsan, Network World, October 30, 2008, (accessed October 31, 2008)

Morris Worm To Turn 20 – How Far Things Have Come“, Darknet, October 31, 2008, (accessed October 31, 2008)

[1] “The Spread of the Code-Red Worm (CRv2)”, David Moore, Colleen Shannon, CAIDA, September 14, 2007, (accessed October 31, 2008)

[2] “Top 10 worst computer viruses”, George Garza,, February 17, 2008, (accessed October 31, 2008)