Symptoms
- A fake WinZip dialog box with the following message:
bad CRC 23bb8dea (should be 0be7841c).
- Sudden termination of some antivirus or shield software programs.
- Presence of the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with a random value pointing to a file in Windows directory with a random name.
Removal instructions:
Let BitDefender delete all files found infected by this worm.
Analyzed By
Sorin Victor Dudea BitDefender Virus Researcher
Technical Description:
Previously detected as
Win32.BugBear.Gen@mm, the worm spreads like the former variants by mail in the following format:
Subject: one of the following:
- Greets!
- !!! WARNING !!!
- Hi!
- sexy
- good news!
- Re:
- Your Gift
- Sex pictures
- I cannot forget you!
- Fwd:
- News
- You are fat!
- Love
- Warning!
- photo
- Friendly
- new reading
- ;)
- I love you!
- Is that your password?
- photos
- empty account
- Old photos
- Me nude
- fantastic
- wow!
- bad news
- Lost & Found
- New Contests
- Today Only
- [Fwd: look] ;-)
- Greetings!
- Report
- Please Help...
- Stats
- I need photo!!!
- Interesting...
- Introduction
- various
- Announcement
- history screen
- look
- Just a reminder
- Payment notices
- hmm..
- update
- Hello!
Body: one of the following:
- Take a look to the attachment
- See the attached file for more info
- Please see Attachment
- Pease open an attachment to see the message.
- see attachment
- See the attached file
- please,read the attach file.
Attachment: A Zip archive or a file with a name taken from the infected computer or one of:
- Readme.txt
- Love.jpg
- You.jpg
- Myphoto.jpg
- News.doc
- Image.jpg
- Message.txt
- Pic.jpg
- Girls.jpg
- Photo.jpg
- Video.avi
- Music.mp3
- Song.wav
- A000032.jpg
followed by many spaces before the real SCR extension.
It copies itself with a random name: %random%.exe in the Windows System directory: %WINSYS%
It executes the copied file.
It displays a fake WinZip message box with the following text:
bad CRC 23bb8dea (should be 0be7841c). The %WINSYS% copy does the following:
It adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%random% With value:
%WINSYS%\%random%.exe It tries to register itself as a service (under Win9X machines)
It creates a .dat file for storing e-mail addresses.
It drops a key logger component in %WinSYS% folder with a random name and .dll extension. This component is detected as Trojan.KeyLogger.BugBear.B
It creates 2 files with dll extension and random name. In these files the worm keeps encrypted data gathered from the computer.
At every 20 seconds it search for and kills a list of antivirus and shield processes.
The worm registers the actions of the user. This information is then sent to an e-mail address.
It searches for e-mail addresses in all the files with the following extensions:
- sht
- txt
- asp
- htm
- ods
- inbox
- mmf
- nch
- mbx
- eml
- tbb
- dbx
And it send itself to all the e-mails it finds in the same format it arrives.
SHARE
THIS ON