- A fake WinZip dialog box with the following message:
bad CRC 23bb8dea (should be 0be7841c).
- Sudden termination of some antivirus or shield software programs.
- Presence of the registry key:
with a random value pointing to a file in Windows directory with a random name.
Let BitDefender delete all files found infected by this worm.
Sorin Victor Dudea BitDefender Virus Researcher
Previously detected as Win32.BugBear.Gen@mm
, the worm spreads like the former variants by mail in the following format: Subject:
one of the following:
- !!! WARNING !!!
- good news!
- Your Gift
- Sex pictures
- I cannot forget you!
- You are fat!
- new reading
- I love you!
- Is that your password?
- empty account
- Old photos
- Me nude
- bad news
- Lost & Found
- New Contests
- Today Only
- [Fwd: look] ;-)
- Please Help...
- I need photo!!!
- history screen
- Just a reminder
- Payment notices
one of the following:
- Take a look to the attachment
- See the attached file for more info
- Please see Attachment
- Pease open an attachment to see the message.
- see attachment
- See the attached file
- please,read the attach file.
A Zip archive or a file with a name taken from the infected computer or one of:
followed by many spaces before the real SCR extension.
It copies itself with a random name: %random%.exe in the Windows System directory: %WINSYS%
It executes the copied file.
It displays a fake WinZip message box with the following text: bad CRC 23bb8dea (should be 0be7841c).
The %WINSYS% copy does the following:
It adds the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%random%
With value: %WINSYS%\%random%.exe
It tries to register itself as a service (under Win9X machines)
It creates a .dat file for storing e-mail addresses.
It drops a key logger component in %WinSYS% folder with a random name and .dll extension. This component is detected as Trojan.KeyLogger.BugBear.B
It creates 2 files with dll extension and random name. In these files the worm keeps encrypted data gathered from the computer.
At every 20 seconds it search for and kills a list of antivirus and shield processes.
The worm registers the actions of the user. This information is then sent to an e-mail address.
It searches for e-mail addresses in all the files with the following extensions:
And it send itself to all the e-mails it finds in the same format it arrives.