You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Briz.I

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Briz.I consists of several components that carry out the following actions:

  • It stops and disables the services Windows Security Center and Internet Connection Sharing (Windows XP firewall).
  • It cheks if there is an available Internet connection by establishing a connection with Microsoft's website.
  • It obtains information about the computer such as the IP address, the name of the system, geographic area, etc.
  • It prevents users and installed programs from accessing the following websites, which belong to several antivirus companies:
    82.165.237.14
    82.165.250.33
    avp.com
    ca.com
    customer.symantec.com
    d66.myleftnut.info
    d-eu-1f.kaspersky-labs.com
    d-eu-1h.kaspersky-labs.com
    d-eu-2f.kaspersky-labs.com
    d-eu-2h.kaspersky-labs.com
    dispatch.mcafee.com
    download.mcafee.com
    downloads1.kaspersky.com
    downloads1.kaspersky.ru
    downloads2.kaspersky.ru
    downloads3.kaspersky.ru
    downloads4.kaspersky.ru
    downloads5.kaspersky.ru
    downloads-us1.kaspersky.com
    d-ru-1f.kaspersky-labs.com
    d-ru-1h.kaspersky-labs.com
    d-ru-2f.kaspersky-labs.com
    d-ru-2h.kaspersky-labs.com
    d-us-1f.kaspersky-labs.com
    d-us-1h.kaspersky-labs.com
    eset.com
    f-secure.com
    irc.blackcarder.net
    kaspersky.com
    kaspersky-labs.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    metalhead2005.info
    my-etrust.com
    nai.com
    networkassociates.com
    rads.mcafee.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    trendmicro.com
    u2.eset.com
    u3.eset.com
    u4.eset.com
    u7.eset.com
    update.symantec.com
    updates.symantec.com
    updates1.kaspersky.com
    updates2.kaspersky.com
    updates3.kaspersky.com
    updates-us1.kaspersky.com
    us.mcafee.com
    viruslist.com
    viruslist.com
    www.avp.com
    www.ca.com
    www.eset.com
    www.f-secure.com
    www.kaspersky.com
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.com
  • It captures the data entered in websites containing forms accessed through Internet Explorer. This way, it obtains passwords for email accounts, banking entities and other online services.
  • It harvests passwords and other data stored by Protected Storage, as well as by the email clients Outlook, Eudora and The Bat.
  • It uses the affected computer as a gateway, in order to connect to third-parties' Telnet, SMTP, FTP and HTTP services anonimously.
  • It allows commands to be executed and files from the hard disk of the affected system to be downloaded. In order to do so, it uses an application programmed in PHP to access the computer via the Internet.
  • It stores the gathered information in certain server.

Infection strategy 

Briz.I is a Trojan that consists of several components that are consecutively downloaded from the Internet with the following names:

  • IEXPLORE.EXE. This file stops and disables several security services and deletes itself once it has carried out its actions.
  • ISCHEDULE.EXE, which sends the data gathered by Briz.I and is deleted once it has carried out its actions.
  • IB14.DLL, in the Windows system directory. This file is a BHO (Browser Helper Object) used to capture information from websites containing forms.
  • CXPLIB.DLL, in the Windows directory system. This file is a DLL (Dynamic Link Library).
  • SMSS.EXE, in the Windows directory. This file deletes itself once it has carried out its actions.
  • HARVEST.EXE, which harvests passwords and the data stored by Protected Storage and by several email clients. This file is deleted once it has carried out its actions.
  • IESERVER.EXE.
  • WEBSVR.PART1.EXE and WEBSVR.PART2.RAR in the Windows directory. These files are part of a RAR self-extracting file that contains an application programmed in PHP.
    When these files are decompressed, Briz.I creates a subfolder called WEBSVR in the Windows system directory.
  • WINLOGON.EXE. in the Windows directory. This file allows the affected computer to be used as a gateway, in order to connect to other services anonimously.
  • NTSVC.OCX and MSWINSCK.OCX, in the Windows directory.

 

Click on the picture below to see a full-size diagram of the relationship among the components of Briz.I:

Click on the picture to view a full-size diagram

 

 

Briz.I modifies the file HOSTS. By modifying this file, it prevents the access to certain websites, belonging to antivirus companies.

 

Briz.I creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft Windows Session Manager Subsystem = %windir%\smss.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft Windows Logon Process = %windir%\winlogon.exe
    where %windir% is the Windows directory.
    By creating these entries, Briz.I ensures that it is run whenever Windows is started.

Means of transmission 

Briz.I does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Briz.I is written in the programming language Visual Basic. This Trojan is 26,624 bytes in size.