[pcductape] FW: Virus alert; PE_BUGBEAR.B / PE_BUGBEAR.B / WORM_BUGBEAR.A / I-Worm.Tanatos.B

  • From: "Pam" <ltf01@xxxxxxxxxx>
  • To: <pcductape@xxxxxxxxxxxxx>
  • Date: Fri, 13 Jun 2003 00:12:06 -0500

This comes from a virus list I am on.  Very reliable folks.  Anyone who
cares to join the AV group and stay up on the most current nasties I left
the footer at the bottom of this message.
I am not affiliated with these folks, just been a member of their list for
several years and followed them over when they migrated from yahoo to
freelists.

Pam

******************************************


From F-Secure
http://f-secure.com/v-descs/bugbear_b.shtml
NAME: Bugbear.B
ALIAS: W32/Bugbear.B@mm, W32/Kijmo.A, I-Worm.Tanatos.B, Win32.Bugbear.B



THIS VIRUS IS RANKED AS LEVEL 1 ALERT
UNDER F-SECURE RADAR.
For more information, see:
http://www.F-Secure.com/products/radar/




UPDATE (2003-06-05 15:00 GMT)

F-Secure is raising the alert level on Bugbear.B (Tanatos.B) to level 1 as
it continues to spread rapidly. The number of reported infections have
increased drastically over the last 10 hours.

UPDATE (2003-06-05 9:55 GMT)

A new polymorphic virus - worm known as Bugbear.B is spreading in the wild.
The worm sends e-mails with various contents. It uses a known vulnerability
to execute the attachment automatically when the e-mail is opened.

UPDATE (2003-06-05 7:30 GMT)

A new polymorphic variant of Bugbear worm (Bugbear.B) was found in the wild
early morning on June 5th, 2003.


Technical Description

The worm's file is a Windows PE executable file compressed with UPX file
compressor and encrypted with a simple cryptoalgorithm that changes in every
worm generation making the worm polymorphic. The packed worm's file size is
72192 bytes, the unpacked size is over 170 kilobytes.


Installation to system

When the worm's file is run, it installs itself to system by infecting files
of several popular applications and system tools. The following files in
Program Files and Windows folders are infected:


 %ProgramFilesDir%\winzip\winzip32.exe
 %ProgramFilesDir%\kazaa\kazaa.exe
 %ProgramFilesDir%\ICQ\Icq.exe
 %ProgramFilesDir%\DAP\DAP.exe
 %ProgramFilesDir%\Winamp\winamp.exe
 %ProgramFilesDir%\AIM95\aim.exe
 %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
 %ProgramFilesDir%\Trillian\Trillian.exe
 %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
 %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
 %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
 %ProgramFilesDir%\WS_FTP\WS_FTP95.exe
 %ProgramFilesDir%\MSN Messenger\msnmsgr.exe
 %ProgramFilesDir%\ACDSee32\ACDSee32.exe
 %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
 %ProgramFilesDir%\CuteFTP\cutftp32.exe
 %ProgramFilesDir%\Far\Far.exe
 %ProgramFilesDir%\Outlook Express\msimn.exe
 %ProgramFilesDir%\Real\RealPlayer\realplay.exe
 %ProgramFilesDir%\Windows Media Player\mplayer2.exe
 %ProgramFilesDir%\WinRAR\WinRAR.exe
 %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
 %ProgramFilesDir%\Internet Explorer\iexplore.exe
 %WinDir%\winhelp.exe
 %WinDir%\notepad.exe
 %WinDir%\hh.exe
 %WinDir%\mplayer.exe
 %WinDir%\regedit.exe
 %WinDir%\scandskw.exe

where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows
directory.

The worm can also drop its file to Startup folder with a random name or as
SETUP.EXE, so it will be activated on next system restart. Additionally the
worm drops a keylogging component in Windows System directory with a random
name and DLL extension. The name can be MGLKCKK.DLL for example. Also the
worm creates 2 additional files in Windows System folder where it stores its
data in encrypted form.


Spreading in e-mails

The worm spreads in e-mail messages. It has its own SMTP engine. To find
e-mail addresses the worm looks for files with the following names and
extensions:


 .ODS
 .MMF
 .NCH
 .MBX
 .EML
 .TBB
 .DBX
 INBOX

Some of such files are e-mail databases and they contain a lot of e-mail
addresses. The worm sends itself to all found addresses. However, it avoids
sending itself to e-mail addresses containing any of the following:


 remove
 spam
 undisclosed
 recipients
 noreply
 lyris
 virus
 trojan
 mailer-daemon
 postmaster@
 root@
 nobody@
 localhost
 localdomain
 list
 talk
 ticket
 majordom

The subject of an infected message is either taken from random files on an
infected computer or selected from the following list:


 Greets!
 Get 8 FREE issues - no risk!
 Hi!
 Your News Alert
 $150 FREE Bonus!
 Re:
 Your Gift
 New bonus in your cash account
 Tools For Your Online Business
 Daily Email Reminder
 News
 free shipping!
 its easy
 Warning!
 SCAM alert!!!
 Sponsors needed
 new reading
 CALL FOR INFORMATION!
 25 merchants and rising
 Cows
 My eBay ads
 empty account
 Market Update Report
 click on this!
 fantastic
 wow!
 bad news
 Lost & Found
 New Contests
 Today Only
 Get a FREE gift!
 Membership Confirmation
 Report
 Please Help...
 Stats
 I need help about script!!!
 Interesting...
 Introduction
 various
 Announcement
 history screen
 Correction of errors
 Just a reminder
 Payment notices
 hmm..
 update
 Hello!

The body of an infected message can be empty or it can contain a text from a
random file on an infected comuter. The body of an infected message can
contain I-Frame exploit. It allows the worm to run automatically on some
computers when an infected e-mail is viewed (for example, with Outlook and
IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available
on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp


The attachment name can be SETUP.EXE or it can contain one of the following
strings:


 readme
 Setup
 Card
 Docs
 news
 image
 images
 pics
 resume
 photo
 video
 music
 song
 data

The worm can also "borrow" a name from a random file on an infected
computer. The extension of an infected attachment is selected from the
following list:


 exe
 scr
 pif

In case the worm used a file's name from an infected computer, the worm's
attachment can have 2 or more extensions, for example DOCUMENT.DOC.EXE . The
worm checks the extension of the file it borrows the name from and sets the
content type of its attachment in an infected message accordingly.

Extensions the worm checks:


 reg
 ini
 bat
 h
 diz
 txt
 cpp
 c
 html
 htm
 jpeg
 jpg
 gif
 cpl
 dll
 vxd
 sys
 com
 exe
 bmp

Worm's attachment content types:


 image/gif
 image/jpeg
 application/octet-stream
 text/plain
 text/html

The worm fakes sender's e-mail address, so if you receive an infected
message please do not reply to it as it will most likely go to a person
whose computer is not infected by the worm.


Spreading in local network

The worm has the ability to infect remote computers over a local network. It
waits for some time before starting its infection cycle and then enumerates
network shares, connects to them and tries to infect the following files in
Program Files and Windows folders on remote computers:


 %ProgramFilesDir%\winzip\winzip32.exe
 %ProgramFilesDir%\kazaa\kazaa.exe
 %ProgramFilesDir%\ICQ\Icq.exe
 %ProgramFilesDir%\DAP\DAP.exe
 %ProgramFilesDir%\Winamp\winamp.exe
 %ProgramFilesDir%\AIM95\aim.exe
 %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
 %ProgramFilesDir%\Trillian\Trillian.exe
 %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
 %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
 %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
 %ProgramFilesDir%\WS_FTP\WS_FTP95.exe
 %ProgramFilesDir%\MSN Messenger\msnmsgr.exe
 %ProgramFilesDir%\ACDSee32\ACDSee32.exe
 %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
 %ProgramFilesDir%\CuteFTP\cutftp32.exe
 %ProgramFilesDir%\Far\Far.exe
 %ProgramFilesDir%\Outlook Express\msimn.exe
 %ProgramFilesDir%\Real\RealPlayer\realplay.exe
 %ProgramFilesDir%\Windows Media Player\mplayer2.exe
 %ProgramFilesDir%\WinRAR\WinRAR.exe
 %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
 %ProgramFilesDir%\Internet Explorer\iexplore.exe
 %WinDir%\winhelp.exe
 %WinDir%\notepad.exe
 %WinDir%\hh.exe
 %WinDir%\mplayer.exe
 %WinDir%\regedit.exe
 %WinDir%\scandskw.exe

where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows
directory.

Also the worm tries to locate common startup folder on remote computers and
copies itself there as SETUP.EXE or with a random name and .EXE extension.

As a result remote computers will become infected either after restart or
after a user there runs an infected file.


Killing processes

The worm kills processes of certain anti-virus, security and other programs.
It lists active processes every 20 seconds and terminates processes whose
file names match any of the following:


 _AVP32.EXE
 _AVPCC.EXE
 _AVPM.EXE
 ACKWIN32.EXE
 ANTI-TROJAN.EXE
 APVXDWIN.EXE
 AUTODOWN.EXE
 AVCONSOL.EXE
 AVE32.EXE
 AVGCTRL.EXE
 AVKSERV.EXE
 AVNT.EXE
 AVP.EXE
 AVP32.EXE
 AVPCC.EXE
 AVPDOS32.EXE
 AVPM.EXE
 AVPTC32.EXE
 AVPUPD.EXE
 AVSCHED32.EXE
 AVWIN95.EXE
 AVWUPD32.EXE
 BLACKD.EXE
 BLACKICE.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLAW95.EXE
 CLAW95CF.EXE
 CLEANER.EXE
 CLEANER3.EXE
 DVP95.EXE
 DVP95_0.EXE
 ECENGINE.EXE
 ESAFE.EXE
 ESPWATCH.EXE
 F-AGNT95.EXE
 F-PROT.EXE
 F-PROT95.EXE
 F-STOPW.EXE
 FINDVIRU.EXE
 FP-WIN.EXE
 FPROT.EXE
 FRW.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 IBMASN.EXE
 IBMAVSP.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFACE.EXE
 IOMON98.EXE
 JEDI.EXE
 LOCKDOWN2000.EXE
 LOOKOUT.EXE
 LUALL.EXE
 MOOLIVE.EXE
 MPFTRAY.EXE
 N32SCANW.EXE
 NAVAPW32.EXE
 NAVLU32.EXE
 NAVNT.EXE
 NAVW32.EXE
 NAVWNT.EXE
 NISUM.EXE
 NMAIN.EXE
 NORMIST.EXE
 NUPGRADE.EXE
 NVC95.EXE
 OUTPOST.EXE
 PADMIN.EXE
 PAVCL.EXE
 PAVSCHED.EXE
 PAVW.EXE
 PCCWIN98.EXE
 PCFWALLICON.EXE
 PERSFW.EXE
 RAV7.EXE
 RAV7WIN.EXE
 RESCUE.EXE
 SAFEWEB.EXE
 SCAN32.EXE
 SCAN95.EXE
 SCANPM.EXE
 SCRSCAN.EXE
 SERV95.EXE
 SMC.EXE
 SPHINX.EXE
 SWEEP95.EXE
 TBSCAN.EXE
 TCA.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 VET95.EXE
 VETTRAY.EXE
 VSCAN40.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSSTAT.EXE
 WEBSCANX.EXE
 WFINDV32.EXE
 ZONEALARM.EXE

The worm has separate process killing routines for Windows 9x and Windows
NT-based operating systems.


Affecting bank computers

The worm has a large list of domains belonging mostly to banks. At startup
the worm checks the domain name of an infected computer and then compares it
to the its internal list. If the domain name matches, the worm enables
AutoDial feature on an infected computer by modifying the following Registry
key:


 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
 "EnableAutodial"=dword:00000001

The list of bank domains that the worm has includes banks from many
different countries: France, UK, Germany, Australia, Italy, Greece, Denmark,
New Zealand, Spain, Brasil, Romania, Poland, Argentina, Switzerland,
Finland, Taiwan, Turkey, Iceland, Slovakia, Korea, USA, South Africa, Baltic
Republics, Austria, Hungary, Norway, Czech Republic and some other
countries.


Side Effect

According to reports, network printers start to print a lot of garbage when
the worm spreads in a network. This might be the side-effect of the worm's
attempts to infect a network.


Backdoor component

The worm has a backdoor component similar to the one used in its previous
version. The backdoor listens to TCP port 1080 for commands from a remote
host. A hacker can connect to the backdoor and perform the following action:



 - get information about infected computer
 - upload and download files
 - start files
 - delete files
 - terminate processes
 - get process list
 - start keylogger
 - start HTTP server on a selected port
++ There is more on the web site.

=================
More information
From; Sophos Alert System:
More information about W32/Bugbear-B can be found at
http://www.sophos.com/virusinfo/analyses/w32bugbearb.html

From; Trend Micro
For more information on PE_BUGBEAR.B please visit our Web sites at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR
.
A

From;MessageLabs
For further information, please visit the MessageLabs website at:
http://www.messagelabs.com and
<http://www.messagelabs.com/viruseye/info/default.asp?frompage=introduction&;
f
romurl=%2Fviruseye%2Fintro%2Fdefault%2Easp&virusname=W32%2FBugBear%2EB%2Dmm>

From; Kaspersky Labs
For details describing Tanatos.a and Tanatos.b, please go to the
Kaspersky Virus Encyclopedia at:
http://www.viruslist.com/eng/viruslist.html?id=52245

From Symantec;
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a
mass-mailing worm that also spreads through network shares.
The worm is polymorphic and also infects a select list of executable files.
The worm has keystroke-logging and backdoor capabilities and also attempts
to terminate the processes of various antivirus and firewall programs.
http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@xxxxxxx

Symantec Removal tool
http://www.symantec.com/avcenter/venc/data/w32.bugbear@xxxxxxxxxxxxxxxxxxxx



~*~*~*~*~
To subscribe to our list send an email
to hackfix-virushelp-request@xxxxxxxxxxxxx?Subject=subscribe.

For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virushelp" without the quotes.
~*~*~*~*~


To unsubscribe from this list send an email to
pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR by logging into the Web interface. 

Other related posts: