Heads up: New Bugbear variant. W32/Bugbear.b@mm
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Heads up: New Bugbear variant. W32/Bugbear.b@mm

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Heads up: New Bugbear variant. W32/Bugbear.b@mm

    Heads up ppl, there's a new bugbear around. It is NOT detected by the current McAfee DAT files (probably other vendors too). I've found it by using http://www.webimmune.net. The new DAT should be able to detect it but unfortunately it's not yet available for download

    More info can be found here:
    http://vil.nai.com/vil/content/v_100358.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Thankyou SirDice for the headsup.. very appreciated..


    Here is Info from Symantec
    Info Also from Sophos

    Current assesment is

    Wild : Low - Sophos states "Many"
    Damage: Low
    Distribution: High

    W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. The worm is polymorphic and also infects executable files.

    This worm is currently being analyzed and additional information will be provided as soon as it becomes available.



    Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee]
    Type: Worm
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Hmm. It's raining bugbears here Thank $DEITY we block *all* executables
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Exclamation

    Ok it seems to have been upgraded a couple of times over night..

    Due to the number of submissions received from customers, Symantec Security Response is elevating this threat to a Category 4 from a Category 3 threat.
    Risk Assesment:

    Wild: High
    Damage : Medium
    Distribution: High

    Hope this is as bad as this one gets...

    Cheers

    (prefer it to be raining "Jelly Bears")
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5

    Exclamation F-Secure's press release says bugbear targets banking sector

    Bugbear.A was the most Widespread Virus in 2002
    Helsinki, Finland, June 5, 2003- F-Secure is warning the computer users of a worm known as Bugbear.B. This worm was first seen on Thusday morning, June 5th, 2003. It is a new variant of the Bugbear.A e-mail worm (also known as
    Tanatos) that was found on Monday, September 30, 2002. Bugbear.A was the most common and widespread virus in 2002.

    The most alerting capacity of this worm is that it includes a large list of domains belonging mostly to banks. The worm checks if an infected computer is in one of these domains, and makes changes to the system in these computers.

    "The list of bank domains that the worm has, includes banks from all over the world; Europe, US, Asia and Africa", says Mikael Albrecht, Product Manager of F-Secure. "Bugbear.B changes system settings if activated in one of these banks. The purpose of these actions is still unknown. They may be part of a malicious scenario but we can't confirm that yet", he continues.

    Bugbear.B is a very complex polymorphic virus that spreads through both email and network shares. The worm sends e-mails with various contents. It uses a known vulnerability to execute the attachment automatically when the e-mail is opened.

    "This virus is tricky, it contains many different techniques. It has UPX compression, encryption with random keys, backdoors, key-logging, retro-functionality, aggressive mass-mailing and network worm capabilities.", explains Mikael Albrecht. "The network worm capabilities may be dangerous to large organisations. It may cause very fast outbreaks if this virus manages to get inside the firewall".

    More information on the Bugbear.B virus is available online at http://www.f-secure.com/v-descs/bugbear_b.shtml .The page includes technical descriptions and images.
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Posts
    211
    I always trust my AV to BidDefender ( especially for Win32 @mm ).
    I found the BugBear file at http://www.bitdefender.com/bd/site/v..._id=1&v_id=133
    Name: Win32.BugBear.B@mm
    Aliases: W32/Bugbear@MM, W32.Bugbear.B@mm
    Type: Executable Backdoor Mass Mailer Infector
    Size: 72192 bytes
    Discovered: 05.06.2003
    Detected: 05.06.2003
    Spreading: High
    Damage: Medium
    In The Wild: Yes

    It infects the following files by adding itís code to the end of the target file and changes the entry point to attached code:

    From the program files:

    winzip\winzip32.exe
    kazaa\kazaa.exe
    ICQ\Icq.exe
    DAP\DAP.exe
    Winamp\winamp.exe
    AIM95\aim.exe
    Lavasoft\Ad-aware 6\Ad-aware.exe
    Trillian\Trillian.exe
    Zone Labs\ZoneAlarm\ZoneAlarm.exe
    StreamCast\Morpheus\Morpheus.exe
    QuickTime\QuickTimePlayer.exe
    WS_FTP\WS_FTP95.exe
    MSN Messenger\msnmsgr.exe
    ACDSee32\ACDSee32.exe
    Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    CuteFTP\cutftp32.exe
    Far\Far.exe
    Outlook Express\msimn.exe
    Real\RealPlayer\realplay.exe
    Windows Media Player\mplayer2.exe
    WinRAR\WinRAR.exe
    adobe\acrobat 5.0\reader\acrord32.exe
    Internet Explorer\iexplore.exe

    From the %windir%:

    winhelp.exe
    notepad.exe
    hh.exe
    mplaer.exe
    regedit.exe
    scandskw.exe

    Also when infecting files it changes the encryption code in order to become harder to detect. At every 20 seconds the worm checks the running programs and if it finds one of the following it terminates it:

    _AVP32.EXE
    _AVPCC.EXE
    _AVPM.EXE
    ACKWIN32.EXE
    ANTI-TROJAN.EXE
    APVXDWIN.EXE
    AUTODOWN.EXE
    AVCONSOL.EXE
    AVE32.EXE
    AVGCTRL.EXE
    AVKSERV.EXE
    AVNT.EXE
    AVP.EXE
    AVP32.EXE
    AVPCC.EXE
    AVPDOS32.EXE
    AVPM.EXE
    AVPTC32.EXE
    AVPUPD.EXE
    AVSCHED32.EXE
    AVWIN95.EXE
    AVWUPD32.EXE
    BLACKD.EXE
    BLACKICE.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFINET.EXE
    CFINET32.EXE
    CLAW95.EXE
    CLAW95CF.EXE
    CLEANER.EXE
    CLEANER3.EXE
    DVP95.EXE
    DVP95_0.EXE
    ECENGINE.EXE
    ESAFE.EXE
    ESPWATCH.EXE
    F-AGNT95.EXE
    F-PROT.EXE
    F-PROT95.EXE
    F-STOPW.EXE
    FINDVIRU.EXE
    FP-WIN.EXE
    FPROT.EXE
    FRW.EXE
    IAMAPP.EXE
    IAMSERV.EXE
    IBMASN.EXE
    IBMAVSP.EXE
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICSUPPNT.EXE
    IFACE.EXE
    IOMON98.EXE
    JEDI.EXE
    LOCKDOWN2000.EXE
    LOOKOUT.EXE
    LUALL.EXE
    MOOLIVE.EXE
    MPFTRAY.EXE
    N32SCANW.EXE
    NAVAPW32.EXE
    NAVLU32.EXE
    NAVNT.EXE
    NAVW32.EXE
    NAVWNT.EXE
    NISUM.EXE
    NMAIN.EXE
    NORMIST.EXE
    NUPGRADE.EXE
    NVC95.EXE
    OUTPOST.EXE
    PADMIN.EXE
    PAVCL.EXE
    PAVSCHED.EXE
    PAVW.EXE
    PCCWIN98.EXE
    PCFWALLICON.EXE
    PERSFW.EXE
    RAV7.EXE
    RAV7WIN.EXE
    RESCUE.EXE
    SAFEWEB.EXE
    SCAN32.EXE
    SCAN95.EXE
    SCANPM.EXE
    SCRSCAN.EXE
    SERV95.EXE
    SMC.EXE
    SPHINX.EXE
    SWEEP95.EXE
    TBSCAN.EXE
    TCA.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    VET95.EXE
    VETTRAY.EXE
    VSCAN40.EXE
    VSECOMR.EXE
    VSHWIN32.EXE
    VSSTAT.EXE
    WEBSCANX.EXE
    WFINDV32.EXE
    ZONEALARM.EXE

    It also write itself in all the network shares it finds with the file name Setup.exe.
    u may also download the anti bugbear at that site , but as ussualy , it couldnt clean or delete the files automatically, so u might be active the programm and run it.

    -Shad
    When I lay me down to sleep, Pray the LORD my soul to keep.
    If I die before i wake, Pray the LORD my soul to take.

    http://www.AntiOnline.com/sig.php?imageid=389

  7. #7

    I tend to like Bitdefender

    They are good and their products are not so heavy on my system....but still they are not so fast in their response to virus breakdowm and worms outbreaks....but I think this is a matter of time to bypassed.
    Anyway the link which they tend to advertize to download the tool for Bugbear was not working when I tried this morning......in order to place a link into my forum.....
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Posts
    211
    yep support , i doesnt responds ani viruses untill u found the viruses from other AV ( McAfee , Norton , etc ), but it works well. If u failed donwload the Anti-V for BigBear, u may download here.

    -Shad
    When I lay me down to sleep, Pray the LORD my soul to keep.
    If I die before i wake, Pray the LORD my soul to take.

    http://www.AntiOnline.com/sig.php?imageid=389

  9. #9
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Re: F-Secure's press release says bugbear targets banking sector

    Originally posted here by Support

    Am I the only one seeing humor in the fact that another pain in the ass for Windows came from Helsinki Finland?


    "Posted by CowboyNeal on Thursday June 05, @09:42PM
    from the bugbear-back-but-better dept.
    kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computers' modems. Some of the worm's functions are designed to specially target financial institutions.' Yummy!" "

    I got this in my mail today from slashdot.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    And it is using the same old exploits!

    Stoped on our work systems today.. AV?.. Patches? Warnings?.. None of these just a sharp eye and a good e-Mail Policy.. Bloody CA.. (aka VET in Aussi) missed them completly..

    I just hope SirDice didn't have too many headaches from it today.. seems there was a hammering earlier..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides