Win32.BugBear.B@mm( W32/Bugbear@MM, W32.Bugbear.B@mm )
SYMPTOMS: Not available yetTECHNICAL DESCRIPTION: This is an Internet worm that spreads trough e-mail and network shares. It uses the IFRAME vulnerability for launching itself without the user interaction.It usually arrives in the following format: Subject: Randomly chosen from the following list: Greets! Get 8 FREE issues - no risk! Hi! Your News Alert $150 FREE Bonus! Re: Your Gift New bonus in your cash account Tools For Your Online Business Daily Email Reminder News free shipping! its easy Warning! SCAM alert!!! Sponsors needed new reading CALL FOR INFORMATION! 25 merchants and rising Cows My e Bay ads empty account Mark et Update Report click on this! fantastic wow! bad news Lost & Found New Contests Today Only Get a FREE gift! Membership Confirmation Report Please Help... Stats I need help about script!!! Interesting... Introduction various Announcement history screen Correction of errors Just a reminder Payment notices hmm.. update Hello! Or any other subject it finds in mail databases. Attachment: Randomly chosen from the following list: Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data with double extension made by the following : Exe, scr, pif. When the worm has send itself using the infos from other mail it found the attachment can be any file name with .exe, .scr or .pif added to the end. Body: Can be anything. When executed the worm checks the mutex w32sharmur to see if it is already in memory. If the mutex does not exists the worm copies itself in STARTUP folder under a random name xxxx.exe and then it exits. After the computer is restarted the worm drops a Trojan keyloger dll file with random name. That dll is used to capture the pressed keys. It also creates two other dll files in which it stores the captured keys in an encrypted format. Also it creates a dat file where it writes information about the computer settings. It infects the following files by adding it’s code to the end of the target file and changes the entry point to attached code: From the program files: winzip\winzip32.exe kazaa\kazaa.exe ICQ\Icq.exe DAP\DAP.exe Winamp\winamp.exe AIM95\aim.exe Lavasoft\Ad-aware 6\Ad-aware.exe Trillian\Trillian.exe Zone Labs\ZoneAlarm\ZoneAlarm.exe StreamCast\Morpheus\Morpheus.exe QuickTime\QuickTimePlayer.exe WS_FTP\WS_FTP95.exe MSN Messenger\msnmsgr.exe ACDSee32\ACDSee32.exe Adobe\Acrobat 4.0\Reader\AcroRd32.exe CuteFTP\cutftp32.exe Far\Far.exe Outlook Express\msimn.exe Real\RealPlayer\realplay.exe Windows Media Player\mplayer2.exe WinRAR\WinRAR.exe adobe\acrobat 5.0\reader\acrord32.exe Internet Explorer\iexplore.exe From the %windir%: winhelp.exe notepad.exe hh.exe mplaer.exe regedit.exe scandskw.exe Also when infecting files it changes the encryption code in order to become harder to detect. At every 20 seconds the worm checks the running programs and if it finds one of the following it terminates it: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FINDVIRU.EXE FP-WIN.EXE FPROT.EXE FRW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXE It also write itself in all the network shares it finds with the file name Setup.exe. The worm send itself trough e-mail using the local SMTP settings. The e-mail addresses are taken from the files that contains the following strings: .ODS, INBOX, .MMF, .NCH, MBX, EML, DBX, ini, INI. If those files are mail databases it tries to find received mails in them and it replies to those emails, changing the original attachments with the virus body and adding one of the following extensions: .exe, .scr, .pif. If the mails don’t have any attachments it takes a name from virus list or from the hard drive and adds it to the mail. The worm has also the backdoor capabilities. It waits for HTTP connections on port 1080. Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antibugbear-en.exe tool does the following: You may also need to restore the affected files. For preventing this virus to use the IFRAME exploit apply the patch Microsoft released for Internet Explorer 5.0 and 5.5. To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability. ANALYZED BY: Sorin Victor Dudea BitDefender Virus Researcher |
