W32Bugbear@MM
Results 1 to 4 of 4

Thread: W32Bugbear@MM

  1. #1
    AO Soccer Mom debwalin's Avatar
    Join Date
    Mar 2002
    Posts
    2,185

    Post W32Bugbear@MM

    Got this one in email from McAffee today:

    McAfee.com has seen a growing number of computers infected with W32/Bugbear@MM. The risk assessment has been updated to MEDIUM FOR HOME AND CORPORATE USERS. As always, we recommend that you keep your anti-virus software up-to-date for the best protection.

    [glowpurple]Virus Information:[/glowpurple]
    Date Discovered: 9/30/2002
    Date Added: 9/30/2002
    Origin: Malaysia
    Length: 50,688 bytes (UPXed)
    or 50,664 bytes
    Type: Virus
    SubType: E-mail worm
    DAT Required: 4226

    [glowpurple]Virus Characteristics: [/glowpurple]
    This virus is written in MSVC and packed with UPX. It spreads via network shares and by emailing itself. It also contains a backdoor trojan component that contains keylogging functionality.

    [glowpurple]Mass-mailing [/glowpurple]

    This worm emails itself to addresses found on the local system. Possible message subject lines include the following (however, other random subject lines are also possible):

    Found
    150 FREE Bonus!
    25 merchants and rising
    Announcement
    bad news
    CALL FOR INFORMATION!
    click on this!
    Correction of errors
    Cows
    Daily Email Reminder
    empty account
    fantastic
    free shipping!
    Get 8 FREE issues - no risk!
    Get a FREE gift!
    Greets!
    Hello!
    history screen
    hotmail.
    I need help about script
    Interesting
    Introduction
    its easy
    Just a reminder
    Lost
    Market Update Report
    Membership Confirmation
    My eBay ads
    New bonus in your cash account
    New Contests
    new reading
    News
    Payment notices
    Please Help
    Report
    SCAM alert
    Sponsors needed
    Stats
    Today Only
    Tools For Your Online Business
    update
    various
    Warning!
    Your Gift
    Your News Alert
    The message body and attachment name vary. It is common for the attachment name to contain a double-extension (ie. .doc.pif). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).

    [glowpurple]System changes [/glowpurple]

    When run on the victim machine it copies itself to %WinDir%\System as ****.EXE (where * represents random character). For example in testing:

    Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE
    2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE
    The following Registry key is set in order to hook next system startup:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    RunOnce "%random letters%" = %random filename%.EXE (Win9x)
    The worm copies itself to the Startup folder on the victim machine as ***.EXE (where * represents random character), for example:



    Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE
    2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE
    Trojan component
    The worm opens a port on the victim machine - port 36794 and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products.

    This remote access server allows an attacker to upload, and download files, run executes, and terminate processes.

    It drops a DLL on the victim machine - keylogger related. This DLL is detected as PWS-Hooker.dll.

    Network share propagation

    The worm attempts to copy itself to the Startup folder of remote machines on the network (as ***.EXE - described above).





    [glowpurple]Indications Of Infection: [/glowpurple]
    Port 36974 open
    Existence of the following files (* represents any character):
    %WinDir%\System\****.EXE (50,688 or 50,684 bytes)
    %WinDir%\******.DAT
    %WinDir%\******.DAT
    %WinDir%\System\******.DLL
    %WinDir%\System\*******.DLL
    %WinDir%\System\*******.DLL





    [glowpurple]Method Of Infection: [/glowpurple]

    This virus spreads over the network (via network shares) and by mailing itself (using it's on SMTP engine).

    It attempts to terminate the process of the following security programs:
    ACKWIN32.exe
    F-AGNT95.exe
    ANTI-TROJAN.exe
    APVXDWIN.exe
    AUTODOWN.exe
    AVCONSOL.exe
    AVE32.exe
    AVGCTRL.exe
    AVKSERV.exe
    AVNT.exe
    AVP32.exe
    AVP32.exe
    AVPCC.exe
    AVPCC.exe
    AVPDOS32.exe
    AVPM.exe
    AVPM.exe
    AVPTC32.exe
    AVPUPD.exe
    AVSCHED32.exe
    AVWIN95.exe
    AVWUPD32.exe
    BLACKD.exe
    BLACKICE.exe
    CFIADMIN.exe
    CFIAUDIT.exe
    CFINET.exe
    CFINET32.exe
    CLAW95.exe
    CLAW95CF.exe
    CLEANER.exe
    CLEANER3.exe
    DVP95_0.exe
    ECENGINE.exe
    ESAFE.exe
    ESPWATCH.exe
    FINDVIRU.exe
    FPROT.exe
    IAMAPP.exe
    IAMSERV.exe
    IBMASN.exe
    IBMAVSP.exe
    ICLOAD95.exe
    ICLOADNT.exe
    ICMON.exe
    ICSUPP95.exe
    ICSUPPNT.exe
    IFACE.exe
    IOMON98.exe
    JEDI.exe
    LOCKDOWN2000.exe
    LOOKOUT.exe
    LUALL.exe
    MOOLIVE.exe
    MPFTRAY.exe
    N32SCANW.exe
    NAVAPW32.exe
    NAVLU32.exe
    NAVNT.exe
    NAVW32.exe
    NAVWNT.exe
    NISUM.exe
    NMAIN.exe
    NORMIST.exe
    NUPGRADE.exe
    NVC95.exe
    OUTPOST.exe
    PADMIN.exe
    PAVCL.exe
    PAVSCHED.exe
    PAVW.exe
    PCCWIN98.exe
    PCFWALLICON.exe
    PERSFW.exe
    F-PROT.exe
    F-PROT95.exe
    RAV7.exe
    RAV7WIN.exe
    RESCUE.exe
    SAFEWEB.exe
    SCAN32.exe
    SCAN95.exe
    SCANPM.exe
    SCRSCAN.exe
    SERV95.exe
    SPHINX.exe
    F-STOPW.exe
    SWEEP95.exe
    TBSCAN.exe
    TDS2-98.exe
    TDS2-NT.exe
    VET95.exe
    VETTRAY.exe
    VSCAN40.exe
    VSECOMR.exe
    VSHWIN32.exe
    VSSTAT.exe
    WEBSCANX.exe
    WFINDV32.exe
    ZONEALARM



    Further info and removal tools found at:

    http://vil.mcafee.com/dispVirus.asp?virus_k=99728

    Deb
    Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.

  2. #2
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    w000000t!!! Good post Deb!!! Thank you sooooooo much for reminding me to update my AV definitions!!!
    Al
    It isn't paranoia when you KNOW they're out to get you...

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    502
    Yes, check out the following.

    Bugbear worm tries to steal credit cards and passwords
    By Robert Vamosi
    ZDNet Reviews
    September 30, 2002

    Bugbear is an Internet worm with a Trojan horse that attempts to steal your passwords and credit card information. Bugbear (w32.bugbear@mm), also known as Tanatos, is about 50KB long and is compressed with the UPX file compressor. Users of Internet Explorer 5.01 or 5.5 who have not patched the Incorrect Mime header flaw are vulnerable to the worm's e-mail attack. All versions of Windows are vulnerable to this worm's ability to arrive via open file sharing. Users of Macintosh, Linux, and Unix are not at risk. Since Bugbear sends infected e-mail and contains a potentially dangerous Trojan horse, it ranks a 6 on the ZDNet Virus Meter.


    How it works
    Bugbear arrives via e-mail with no distinct characteristics except for an attached file that is always 50,688 bytes long. The subject line and text may be taken from existing e-mail. Bugbear also arrives through network file sharing.

    When run, Bugbear adds itself to the System subdirectory of the Windows folder as four random letters followed by .exe (for example, windows\System\zayb.exe). It also changes the Registry in order to run each time Windows is loaded, once again using random letters. Finally, it adds itself to the Startup folder as three random letters followed by .exe (for example, Startup\zay.exe).

    The Trojan horse part of this worm first terminates many popular firewall and antivirus programs. The Trojan then launches a keystroke-logging program whose filename is a variable number of random letters followed by .dll (for example, avbxcydz.dll). Keystroke-logging programs memorize the keystrokes typed when filling out login information (passwords) or filling out shopping forms online (credit card information). Files saved by these programs can later be accessed remotely by malicious users. The Trojan component of this worm opens port 36794.

    Prevention
    Users of Internet Explorer 6 should be safe from the e-mail portion of this worm. Users of IE 5.01 and 5.5 who have not installed the Infected Mime header patch found in MS01-020 should do so. If you do not need to share files on a network, you should also turn off file sharing within Windows.

    Removal
    A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure,McAfee, and Sophos.
    It can be found here >> http://techupdate.zdnet.com/techupda...881969,00.html
    Bleh.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Originally posted here by allenb1963
    w000000t!!! Good post Deb!!! Thank you sooooooo much for reminding me to update my AV definitions!!!
    Manual update? Are there still antivirus programs without an automatic update function?
    ---
    proactive

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •