My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.BugBear.B@mm

HIGH
MEDIUM
72192 bytes
(W32/Bugbear@MM, W32.Bugbear.B@mm)

Symptoms

Not available yet

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antibugbear-en.exe tool does the following:
  • it detects all the known BugBear versions (A and B);

  • it disinfects the files infected with BugBear;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    This is an Internet worm that spreads trough e-mail and network shares. It uses the IFRAME vulnerability for launching itself without the user interaction.

    It usually arrives in the following format:

    Subject: Randomly chosen from the following list:

    Greets!
    Get 8 FREE issues - no risk!
    Hi!
    Your News Alert
    $150 FREE Bonus!
    Re:
    Your Gift
    New bonus in your cash account
    Tools For Your Online Business
    Daily Email Reminder
    News
    free shipping!
    its easy
    Warning!
    SCAM alert!!!
    Sponsors needed
    new reading
    CALL FOR INFORMATION!
    25 merchants and rising
    Cows
    My e Bay ads
    empty account
    Mark et Update Report
    click on this!
    fantastic
    wow!
    bad news
    Lost & Found
    New Contests
    Today Only
    Get a FREE gift!
    Membership Confirmation
    Report
    Please Help...
    Stats
    I need help about script!!!
    Interesting...
    Introduction
    various
    Announcement
    history screen
    Correction of errors
    Just a reminder
    Payment notices
    hmm..
    update
    Hello!

    Or any other subject it finds in mail databases.

    Attachment: Randomly chosen from the following list:

    Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

    with double extension made by the following : Exe, scr, pif.

    When the worm has send itself using the infos from other mail it found the attachment can be any file name with .exe, .scr or .pif added to the end.

    Body: Can be anything.

    When executed the worm checks the mutex w32sharmur to see if it is already in memory. If the mutex does not exists the worm copies itself in STARTUP folder under a random name xxxx.exe and then it exits.

    After the computer is restarted the worm drops a Trojan keyloger dll file with random name. That dll is used to capture the pressed keys. It also creates two other dll files in which it stores the captured keys in an encrypted format. Also it creates a dat file where it writes information about the computer settings.

    It infects the following files by adding it’s code to the end of the target file and changes the entry point to attached code:

    From the program files:

    winzip\winzip32.exe
    kazaa\kazaa.exe
    ICQ\Icq.exe
    DAP\DAP.exe
    Winamp\winamp.exe
    AIM95\aim.exe
    Lavasoft\Ad-aware 6\Ad-aware.exe
    Trillian\Trillian.exe
    Zone Labs\ZoneAlarm\ZoneAlarm.exe
    StreamCast\Morpheus\Morpheus.exe
    QuickTime\QuickTimePlayer.exe
    WS_FTP\WS_FTP95.exe
    MSN Messenger\msnmsgr.exe
    ACDSee32\ACDSee32.exe
    Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    CuteFTP\cutftp32.exe
    Far\Far.exe
    Outlook Express\msimn.exe
    Real\RealPlayer\realplay.exe
    Windows Media Player\mplayer2.exe
    WinRAR\WinRAR.exe
    adobe\acrobat 5.0\reader\acrord32.exe
    Internet Explorer\iexplore.exe

    From the %windir%:

    winhelp.exe
    notepad.exe
    hh.exe
    mplaer.exe
    regedit.exe
    scandskw.exe

    Also when infecting files it changes the encryption code in order to become harder to detect. At every 20 seconds the worm checks the running programs and if it finds one of the following it terminates it:

    _AVP32.EXE
    _AVPCC.EXE
    _AVPM.EXE
    ACKWIN32.EXE
    ANTI-TROJAN.EXE
    APVXDWIN.EXE
    AUTODOWN.EXE
    AVCONSOL.EXE
    AVE32.EXE
    AVGCTRL.EXE
    AVKSERV.EXE
    AVNT.EXE
    AVP.EXE
    AVP32.EXE
    AVPCC.EXE
    AVPDOS32.EXE
    AVPM.EXE
    AVPTC32.EXE
    AVPUPD.EXE
    AVSCHED32.EXE
    AVWIN95.EXE
    AVWUPD32.EXE
    BLACKD.EXE
    BLACKICE.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFINET.EXE
    CFINET32.EXE
    CLAW95.EXE
    CLAW95CF.EXE
    CLEANER.EXE
    CLEANER3.EXE
    DVP95.EXE
    DVP95_0.EXE
    ECENGINE.EXE
    ESAFE.EXE
    ESPWATCH.EXE
    F-AGNT95.EXE
    F-PROT.EXE
    F-PROT95.EXE
    F-STOPW.EXE
    FINDVIRU.EXE
    FP-WIN.EXE
    FPROT.EXE
    FRW.EXE
    IAMAPP.EXE
    IAMSERV.EXE
    IBMASN.EXE
    IBMAVSP.EXE
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICSUPPNT.EXE
    IFACE.EXE
    IOMON98.EXE
    JEDI.EXE
    LOCKDOWN2000.EXE
    LOOKOUT.EXE
    LUALL.EXE
    MOOLIVE.EXE
    MPFTRAY.EXE
    N32SCANW.EXE
    NAVAPW32.EXE
    NAVLU32.EXE
    NAVNT.EXE
    NAVW32.EXE
    NAVWNT.EXE
    NISUM.EXE
    NMAIN.EXE
    NORMIST.EXE
    NUPGRADE.EXE
    NVC95.EXE
    OUTPOST.EXE
    PADMIN.EXE
    PAVCL.EXE
    PAVSCHED.EXE
    PAVW.EXE
    PCCWIN98.EXE
    PCFWALLICON.EXE
    PERSFW.EXE
    RAV7.EXE
    RAV7WIN.EXE
    RESCUE.EXE
    SAFEWEB.EXE
    SCAN32.EXE
    SCAN95.EXE
    SCANPM.EXE
    SCRSCAN.EXE
    SERV95.EXE
    SMC.EXE
    SPHINX.EXE
    SWEEP95.EXE
    TBSCAN.EXE
    TCA.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    VET95.EXE
    VETTRAY.EXE
    VSCAN40.EXE
    VSECOMR.EXE
    VSHWIN32.EXE
    VSSTAT.EXE
    WEBSCANX.EXE
    WFINDV32.EXE
    ZONEALARM.EXE

    It also write itself in all the network shares it finds with the file name Setup.exe.

    The worm send itself trough e-mail using the local SMTP settings. The e-mail addresses are taken from the files that contains the following strings: .ODS, INBOX, .MMF, .NCH, MBX, EML, DBX, ini, INI.

    If those files are mail databases it tries to find received mails in them and it replies to those emails, changing the original attachments with the virus body and adding one of the following extensions: .exe, .scr, .pif. If the mails don’t have any attachments it takes a name from virus list or from the hard drive and adds it to the mail.

    The worm has also the backdoor capabilities. It waits for HTTP connections on port 1080.