This comes from a virus list I am on. Very reliable folks. Anyone who cares to join the AV group and stay up on the most current nasties I left the footer at the bottom of this message. I am not affiliated with these folks, just been a member of their list for several years and followed them over when they migrated from yahoo to freelists. Pam ****************************************** From F-Secure http://f-secure.com/v-descs/bugbear_b.shtml NAME: Bugbear.B ALIAS: W32/Bugbear.B@mm, W32/Kijmo.A, I-Worm.Tanatos.B, Win32.Bugbear.B THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER F-SECURE RADAR. For more information, see: http://www.F-Secure.com/products/radar/ UPDATE (2003-06-05 15:00 GMT) F-Secure is raising the alert level on Bugbear.B (Tanatos.B) to level 1 as it continues to spread rapidly. The number of reported infections have increased drastically over the last 10 hours. UPDATE (2003-06-05 9:55 GMT) A new polymorphic virus - worm known as Bugbear.B is spreading in the wild. The worm sends e-mails with various contents. It uses a known vulnerability to execute the attachment automatically when the e-mail is opened. UPDATE (2003-06-05 7:30 GMT) A new polymorphic variant of Bugbear worm (Bugbear.B) was found in the wild early morning on June 5th, 2003. Technical Description The worm's file is a Windows PE executable file compressed with UPX file compressor and encrypted with a simple cryptoalgorithm that changes in every worm generation making the worm polymorphic. The packed worm's file size is 72192 bytes, the unpacked size is over 170 kilobytes. Installation to system When the worm's file is run, it installs itself to system by infecting files of several popular applications and system tools. The following files in Program Files and Windows folders are infected: %ProgramFilesDir%\winzip\winzip32.exe %ProgramFilesDir%\kazaa\kazaa.exe %ProgramFilesDir%\ICQ\Icq.exe %ProgramFilesDir%\DAP\DAP.exe %ProgramFilesDir%\Winamp\winamp.exe %ProgramFilesDir%\AIM95\aim.exe %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe %ProgramFilesDir%\Trillian\Trillian.exe %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe %ProgramFilesDir%\WS_FTP\WS_FTP95.exe %ProgramFilesDir%\MSN Messenger\msnmsgr.exe %ProgramFilesDir%\ACDSee32\ACDSee32.exe %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe %ProgramFilesDir%\CuteFTP\cutftp32.exe %ProgramFilesDir%\Far\Far.exe %ProgramFilesDir%\Outlook Express\msimn.exe %ProgramFilesDir%\Real\RealPlayer\realplay.exe %ProgramFilesDir%\Windows Media Player\mplayer2.exe %ProgramFilesDir%\WinRAR\WinRAR.exe %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe %ProgramFilesDir%\Internet Explorer\iexplore.exe %WinDir%\winhelp.exe %WinDir%\notepad.exe %WinDir%\hh.exe %WinDir%\mplayer.exe %WinDir%\regedit.exe %WinDir%\scandskw.exe where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows directory. The worm can also drop its file to Startup folder with a random name or as SETUP.EXE, so it will be activated on next system restart. Additionally the worm drops a keylogging component in Windows System directory with a random name and DLL extension. The name can be MGLKCKK.DLL for example. Also the worm creates 2 additional files in Windows System folder where it stores its data in encrypted form. Spreading in e-mails The worm spreads in e-mail messages. It has its own SMTP engine. To find e-mail addresses the worm looks for files with the following names and extensions: .ODS .MMF .NCH .MBX .EML .TBB .DBX INBOX Some of such files are e-mail databases and they contain a lot of e-mail addresses. The worm sends itself to all found addresses. However, it avoids sending itself to e-mail addresses containing any of the following: remove spam undisclosed recipients noreply lyris virus trojan mailer-daemon postmaster@ root@ nobody@ localhost localdomain list talk ticket majordom The subject of an infected message is either taken from random files on an infected computer or selected from the following list: Greets! Get 8 FREE issues - no risk! Hi! Your News Alert $150 FREE Bonus! Re: Your Gift New bonus in your cash account Tools For Your Online Business Daily Email Reminder News free shipping! its easy Warning! SCAM alert!!! Sponsors needed new reading CALL FOR INFORMATION! 25 merchants and rising Cows My eBay ads empty account Market Update Report click on this! fantastic wow! bad news Lost & Found New Contests Today Only Get a FREE gift! Membership Confirmation Report Please Help... Stats I need help about script!!! Interesting... Introduction various Announcement history screen Correction of errors Just a reminder Payment notices hmm.. update Hello! The body of an infected message can be empty or it can contain a text from a random file on an infected comuter. The body of an infected message can contain I-Frame exploit. It allows the worm to run automatically on some computers when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available on Microsoft site: http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp The attachment name can be SETUP.EXE or it can contain one of the following strings: readme Setup Card Docs news image images pics resume photo video music song data The worm can also "borrow" a name from a random file on an infected computer. The extension of an infected attachment is selected from the following list: exe scr pif In case the worm used a file's name from an infected computer, the worm's attachment can have 2 or more extensions, for example DOCUMENT.DOC.EXE . The worm checks the extension of the file it borrows the name from and sets the content type of its attachment in an infected message accordingly. Extensions the worm checks: reg ini bat h diz txt cpp c html htm jpeg jpg gif cpl dll vxd sys com exe bmp Worm's attachment content types: image/gif image/jpeg application/octet-stream text/plain text/html The worm fakes sender's e-mail address, so if you receive an infected message please do not reply to it as it will most likely go to a person whose computer is not infected by the worm. Spreading in local network The worm has the ability to infect remote computers over a local network. It waits for some time before starting its infection cycle and then enumerates network shares, connects to them and tries to infect the following files in Program Files and Windows folders on remote computers: %ProgramFilesDir%\winzip\winzip32.exe %ProgramFilesDir%\kazaa\kazaa.exe %ProgramFilesDir%\ICQ\Icq.exe %ProgramFilesDir%\DAP\DAP.exe %ProgramFilesDir%\Winamp\winamp.exe %ProgramFilesDir%\AIM95\aim.exe %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe %ProgramFilesDir%\Trillian\Trillian.exe %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe %ProgramFilesDir%\WS_FTP\WS_FTP95.exe %ProgramFilesDir%\MSN Messenger\msnmsgr.exe %ProgramFilesDir%\ACDSee32\ACDSee32.exe %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe %ProgramFilesDir%\CuteFTP\cutftp32.exe %ProgramFilesDir%\Far\Far.exe %ProgramFilesDir%\Outlook Express\msimn.exe %ProgramFilesDir%\Real\RealPlayer\realplay.exe %ProgramFilesDir%\Windows Media Player\mplayer2.exe %ProgramFilesDir%\WinRAR\WinRAR.exe %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe %ProgramFilesDir%\Internet Explorer\iexplore.exe %WinDir%\winhelp.exe %WinDir%\notepad.exe %WinDir%\hh.exe %WinDir%\mplayer.exe %WinDir%\regedit.exe %WinDir%\scandskw.exe where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows directory. Also the worm tries to locate common startup folder on remote computers and copies itself there as SETUP.EXE or with a random name and .EXE extension. As a result remote computers will become infected either after restart or after a user there runs an infected file. Killing processes The worm kills processes of certain anti-virus, security and other programs. It lists active processes every 20 seconds and terminates processes whose file names match any of the following: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FINDVIRU.EXE FP-WIN.EXE FPROT.EXE FRW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXE The worm has separate process killing routines for Windows 9x and Windows NT-based operating systems. Affecting bank computers The worm has a large list of domains belonging mostly to banks. At startup the worm checks the domain name of an infected computer and then compares it to the its internal list. If the domain name matches, the worm enables AutoDial feature on an infected computer by modifying the following Registry key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "EnableAutodial"=dword:00000001 The list of bank domains that the worm has includes banks from many different countries: France, UK, Germany, Australia, Italy, Greece, Denmark, New Zealand, Spain, Brasil, Romania, Poland, Argentina, Switzerland, Finland, Taiwan, Turkey, Iceland, Slovakia, Korea, USA, South Africa, Baltic Republics, Austria, Hungary, Norway, Czech Republic and some other countries. Side Effect According to reports, network printers start to print a lot of garbage when the worm spreads in a network. This might be the side-effect of the worm's attempts to infect a network. Backdoor component The worm has a backdoor component similar to the one used in its previous version. The backdoor listens to TCP port 1080 for commands from a remote host. A hacker can connect to the backdoor and perform the following action: - get information about infected computer - upload and download files - start files - delete files - terminate processes - get process list - start keylogger - start HTTP server on a selected port ++ There is more on the web site. ================= More information From; Sophos Alert System: More information about W32/Bugbear-B can be found at http://www.sophos.com/virusinfo/analyses/w32bugbearb.html From; Trend Micro For more information on PE_BUGBEAR.B please visit our Web sites at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR . A From;MessageLabs For further information, please visit the MessageLabs website at: http://www.messagelabs.com and <http://www.messagelabs.com/viruseye/info/default.asp?frompage=introduction& f romurl=%2Fviruseye%2Fintro%2Fdefault%2Easp&virusname=W32%2FBugBear%2EB%2Dmm> From; Kaspersky Labs For details describing Tanatos.a and Tanatos.b, please go to the Kaspersky Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=52245 From Symantec; W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs. http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@xxxxxxx Symantec Removal tool http://www.symantec.com/avcenter/venc/data/w32.bugbear@xxxxxxxxxxxxxxxxxxxx ~*~*~*~*~ To subscribe to our list send an email to hackfix-virushelp-request@xxxxxxxxxxxxx?Subject=subscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info hackfix-virushelp" without the quotes. ~*~*~*~*~ To unsubscribe from this list send an email to pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the Web interface.