Heads up: New Bugbear variant. W32/Bugbear.b@mm

[SirDice]

Heads up ppl, there's a new bugbear around. It is NOT detected by the current McAfee DAT files (probably other vendors too). I've found it by using http://www.webimmune.net. The new DAT should be able to detect it but unfortunately it's not yet available for download

More info can be found here:
http://vil.nai.com/vil/content/v_100358.htm

[Und3ertak3r]

Thankyou SirDice for the headsup.. very appreciated..


Here is Info from Symantec
Info Also from Sophos

Current assesment is

Wild : Low - Sophos states "Many"
Damage: Low
Distribution: High

W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. The worm is polymorphic and also infects executable files.

This worm is currently being analyzed and additional information will be provided as soon as it becomes available.



Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee]
Type: Worm
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Cheers

[SirDice]

Hmm. It's raining bugbears here Thank $DEITY we block *all* executables

[Und3ertak3r]

Ok it seems to have been upgraded a couple of times over night..

Due to the number of submissions received from customers, Symantec Security Response is elevating this threat to a Category 4 from a Category 3 threat.

Risk Assesment:

Wild: High
Damage : Medium
Distribution: High

Hope this is as bad as this one gets...

Cheers

(prefer it to be raining "Jelly Bears")

[Support]

Bugbear.A was the most Widespread Virus in 2002
Helsinki, Finland, June 5, 2003- F-Secure is warning the computer users of a worm known as Bugbear.B. This worm was first seen on Thusday morning, June 5th, 2003. It is a new variant of the Bugbear.A e-mail worm (also known as
Tanatos) that was found on Monday, September 30, 2002. Bugbear.A was the most common and widespread virus in 2002.

The most alerting capacity of this worm is that it includes a large list of domains belonging mostly to banks. The worm checks if an infected computer is in one of these domains, and makes changes to the system in these computers.

"The list of bank domains that the worm has, includes banks from all over the world; Europe, US, Asia and Africa", says Mikael Albrecht, Product Manager of F-Secure. "Bugbear.B changes system settings if activated in one of these banks. The purpose of these actions is still unknown. They may be part of a malicious scenario but we can't confirm that yet", he continues.

Bugbear.B is a very complex polymorphic virus that spreads through both email and network shares. The worm sends e-mails with various contents. It uses a known vulnerability to execute the attachment automatically when the e-mail is opened.

"This virus is tricky, it contains many different techniques. It has UPX compression, encryption with random keys, backdoors, key-logging, retro-functionality, aggressive mass-mailing and network worm capabilities.", explains Mikael Albrecht. "The network worm capabilities may be dangerous to large organisations. It may cause very fast outbreaks if this virus manages to get inside the firewall".

More information on the Bugbear.B virus is available online at http://www.f-secure.com/v-descs/bugbear_b.shtml .The page includes technical descriptions and images.

[shadow_dancer]

I always trust my AV to BidDefender ( especially for Win32 @mm ).
I found the BugBear file at http://www.bitdefender.com/bd/site/v..._id=1&v_id=133

Name: Win32.BugBear.B@mm
Aliases: W32/Bugbear@MM, W32.Bugbear.B@mm
Type: Executable Backdoor Mass Mailer Infector
Size: 72192 bytes
Discovered: 05.06.2003
Detected: 05.06.2003
Spreading: High
Damage: Medium
In The Wild: Yes

It infects the following files by adding it’s code to the end of the target file and changes the entry point to attached code:

From the program files:

winzip\winzip32.exe
kazaa\kazaa.exe
ICQ\Icq.exe
DAP\DAP.exe
Winamp\winamp.exe
AIM95\aim.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
Trillian\Trillian.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
StreamCast\Morpheus\Morpheus.exe
QuickTime\QuickTimePlayer.exe
WS_FTP\WS_FTP95.exe
MSN Messenger\msnmsgr.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
CuteFTP\cutftp32.exe
Far\Far.exe
Outlook Express\msimn.exe
Real\RealPlayer\realplay.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
adobe\acrobat 5.0\reader\acrord32.exe
Internet Explorer\iexplore.exe

From the %windir%:

winhelp.exe
notepad.exe
hh.exe
mplaer.exe
regedit.exe
scandskw.exe

Also when infecting files it changes the encryption code in order to become harder to detect. At every 20 seconds the worm checks the running programs and if it finds one of the following it terminates it:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

It also write itself in all the network shares it finds with the file name Setup.exe.

u may also download the anti bugbear at that site , but as ussualy , it couldnt clean or delete the files automatically, so u might be active the programm and run it.

-Shad

[Support]

They are good and their products are not so heavy on my system....but still they are not so fast in their response to virus breakdowm and worms outbreaks....but I think this is a matter of time to bypassed.
Anyway the link which they tend to advertize to download the tool for Bugbear was not working when I tried this morning......in order to place a link into my forum.....

[shadow_dancer]

yep support , i doesnt responds ani viruses untill u found the viruses from other AV ( McAfee , Norton , etc ), but it works well. If u failed donwload the Anti-V for BigBear, u may download here.

-Shad

[gore]

Originally posted here by Support

Am I the only one seeing humor in the fact that another pain in the ass for Windows came from Helsinki Finland?


"Posted by CowboyNeal on Thursday June 05, @09:42PM
from the bugbear-back-but-better dept.
kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computers' modems. Some of the worm's functions are designed to specially target financial institutions.' Yummy!" "

I got this in my mail today from slashdot.

[Und3ertak3r]

And it is using the same old exploits!

Stoped on our work systems today.. AV?.. Patches? Warnings?.. None of these just a sharp eye and a good e-Mail Policy.. Bloody CA.. (aka VET in Aussi) missed them completly..

I just hope SirDice didn't have too many headaches from it today.. seems there was a hammering earlier..

Cheers