Hi Pam, Thanks for that very informative email message about the worm bugbear. That darn thing disables anti-virus programs! So how do we prevent re-infection? I notice it has targeted banks world wide. Good gosh. I have joined the AV list. I need to stay uptodate on virus. Carl ----- Original Message ----- From: "Pam" <ltf01@xxxxxxxxxx> To: <pcductape@xxxxxxxxxxxxx> Sent: Friday, June 13, 2003 12:12 AM Subject: [pcductape] FW: Virus alert; PE_BUGBEAR.B / PE_BUGBEAR.B / WORM_BUGBEAR.A / I-Worm.Tanatos.B > This comes from a virus list I am on. Very reliable folks. Anyone who > cares to join the AV group and stay up on the most current nasties I left > the footer at the bottom of this message. > I am not affiliated with these folks, just been a member of their list for > several years and followed them over when they migrated from yahoo to > freelists. > > Pam > > ****************************************** > > > From F-Secure > http://f-secure.com/v-descs/bugbear_b.shtml > NAME: Bugbear.B > ALIAS: W32/Bugbear.B@mm, W32/Kijmo.A, I-Worm.Tanatos.B, Win32.Bugbear.B > > > > THIS VIRUS IS RANKED AS LEVEL 1 ALERT > UNDER F-SECURE RADAR. > For more information, see: > http://www.F-Secure.com/products/radar/ > > > > > UPDATE (2003-06-05 15:00 GMT) > > F-Secure is raising the alert level on Bugbear.B (Tanatos.B) to level 1 as > it continues to spread rapidly. The number of reported infections have > increased drastically over the last 10 hours. > > UPDATE (2003-06-05 9:55 GMT) > > A new polymorphic virus - worm known as Bugbear.B is spreading in the wild. > The worm sends e-mails with various contents. It uses a known vulnerability > to execute the attachment automatically when the e-mail is opened. > > UPDATE (2003-06-05 7:30 GMT) > > A new polymorphic variant of Bugbear worm (Bugbear.B) was found in the wild > early morning on June 5th, 2003. > > > Technical Description > > The worm's file is a Windows PE executable file compressed with UPX file > compressor and encrypted with a simple cryptoalgorithm that changes in every > worm generation making the worm polymorphic. The packed worm's file size is > 72192 bytes, the unpacked size is over 170 kilobytes. > > > Installation to system > > When the worm's file is run, it installs itself to system by infecting files > of several popular applications and system tools. The following files in > Program Files and Windows folders are infected: > > > %ProgramFilesDir%\winzip\winzip32.exe > %ProgramFilesDir%\kazaa\kazaa.exe > %ProgramFilesDir%\ICQ\Icq.exe > %ProgramFilesDir%\DAP\DAP.exe > %ProgramFilesDir%\Winamp\winamp.exe > %ProgramFilesDir%\AIM95\aim.exe > %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe > %ProgramFilesDir%\Trillian\Trillian.exe > %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe > %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe > %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe > %ProgramFilesDir%\WS_FTP\WS_FTP95.exe > %ProgramFilesDir%\MSN Messenger\msnmsgr.exe > %ProgramFilesDir%\ACDSee32\ACDSee32.exe > %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe > %ProgramFilesDir%\CuteFTP\cutftp32.exe > %ProgramFilesDir%\Far\Far.exe > %ProgramFilesDir%\Outlook Express\msimn.exe > %ProgramFilesDir%\Real\RealPlayer\realplay.exe > %ProgramFilesDir%\Windows Media Player\mplayer2.exe > %ProgramFilesDir%\WinRAR\WinRAR.exe > %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe > %ProgramFilesDir%\Internet Explorer\iexplore.exe > %WinDir%\winhelp.exe > %WinDir%\notepad.exe > %WinDir%\hh.exe > %WinDir%\mplayer.exe > %WinDir%\regedit.exe > %WinDir%\scandskw.exe > > where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows > directory. > > The worm can also drop its file to Startup folder with a random name or as > SETUP.EXE, so it will be activated on next system restart. Additionally the > worm drops a keylogging component in Windows System directory with a random > name and DLL extension. The name can be MGLKCKK.DLL for example. Also the > worm creates 2 additional files in Windows System folder where it stores its > data in encrypted form. > > > Spreading in e-mails > > The worm spreads in e-mail messages. It has its own SMTP engine. To find > e-mail addresses the worm looks for files with the following names and > extensions: > > > .ODS > .MMF > .NCH > .MBX > .EML > .TBB > .DBX > INBOX > > Some of such files are e-mail databases and they contain a lot of e-mail > addresses. The worm sends itself to all found addresses. However, it avoids > sending itself to e-mail addresses containing any of the following: > > > remove > spam > undisclosed > recipients > noreply > lyris > virus > trojan > mailer-daemon > postmaster@ > root@ > nobody@ > localhost > localdomain > list > talk > ticket > majordom > > The subject of an infected message is either taken from random files on an > infected computer or selected from the following list: > > > Greets! > Get 8 FREE issues - no risk! > Hi! > Your News Alert > $150 FREE Bonus! > Re: > Your Gift > New bonus in your cash account > Tools For Your Online Business > Daily Email Reminder > News > free shipping! > its easy > Warning! > SCAM alert!!! > Sponsors needed > new reading > CALL FOR INFORMATION! > 25 merchants and rising > Cows > My eBay ads > empty account > Market Update Report > click on this! > fantastic > wow! > bad news > Lost & Found > New Contests > Today Only > Get a FREE gift! > Membership Confirmation > Report > Please Help... > Stats > I need help about script!!! > Interesting... > Introduction > various > Announcement > history screen > Correction of errors > Just a reminder > Payment notices > hmm.. > update > Hello! > > The body of an infected message can be empty or it can contain a text from a > random file on an infected comuter. The body of an infected message can > contain I-Frame exploit. It allows the worm to run automatically on some > computers when an infected e-mail is viewed (for example, with Outlook and > IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available > on Microsoft site: > > http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp > > > The attachment name can be SETUP.EXE or it can contain one of the following > strings: > > > readme > Setup > Card > Docs > news > image > images > pics > resume > photo > video > music > song > data > > The worm can also "borrow" a name from a random file on an infected > computer. The extension of an infected attachment is selected from the > following list: > > > exe > scr > pif > > In case the worm used a file's name from an infected computer, the worm's > attachment can have 2 or more extensions, for example DOCUMENT.DOC.EXE . The > worm checks the extension of the file it borrows the name from and sets the > content type of its attachment in an infected message accordingly. > > Extensions the worm checks: > > > reg > ini > bat > h > diz > txt > cpp > c > html > htm > jpeg > jpg > gif > cpl > dll > vxd > sys > com > exe > bmp > > Worm's attachment content types: > > > image/gif > image/jpeg > application/octet-stream > text/plain > text/html > > The worm fakes sender's e-mail address, so if you receive an infected > message please do not reply to it as it will most likely go to a person > whose computer is not infected by the worm. > > > Spreading in local network > > The worm has the ability to infect remote computers over a local network. It > waits for some time before starting its infection cycle and then enumerates > network shares, connects to them and tries to infect the following files in > Program Files and Windows folders on remote computers: > > > %ProgramFilesDir%\winzip\winzip32.exe > %ProgramFilesDir%\kazaa\kazaa.exe > %ProgramFilesDir%\ICQ\Icq.exe > %ProgramFilesDir%\DAP\DAP.exe > %ProgramFilesDir%\Winamp\winamp.exe > %ProgramFilesDir%\AIM95\aim.exe > %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe > %ProgramFilesDir%\Trillian\Trillian.exe > %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe > %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe > %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe > %ProgramFilesDir%\WS_FTP\WS_FTP95.exe > %ProgramFilesDir%\MSN Messenger\msnmsgr.exe > %ProgramFilesDir%\ACDSee32\ACDSee32.exe > %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe > %ProgramFilesDir%\CuteFTP\cutftp32.exe > %ProgramFilesDir%\Far\Far.exe > %ProgramFilesDir%\Outlook Express\msimn.exe > %ProgramFilesDir%\Real\RealPlayer\realplay.exe > %ProgramFilesDir%\Windows Media Player\mplayer2.exe > %ProgramFilesDir%\WinRAR\WinRAR.exe > %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe > %ProgramFilesDir%\Internet Explorer\iexplore.exe > %WinDir%\winhelp.exe > %WinDir%\notepad.exe > %WinDir%\hh.exe > %WinDir%\mplayer.exe > %WinDir%\regedit.exe > %WinDir%\scandskw.exe > > where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows > directory. > > Also the worm tries to locate common startup folder on remote computers and > copies itself there as SETUP.EXE or with a random name and .EXE extension. > > As a result remote computers will become infected either after restart or > after a user there runs an infected file. > > > Killing processes > > The worm kills processes of certain anti-virus, security and other programs. > It lists active processes every 20 seconds and terminates processes whose > file names match any of the following: > > > _AVP32.EXE > _AVPCC.EXE > _AVPM.EXE > ACKWIN32.EXE > ANTI-TROJAN.EXE > APVXDWIN.EXE > AUTODOWN.EXE > AVCONSOL.EXE > AVE32.EXE > AVGCTRL.EXE > AVKSERV.EXE > AVNT.EXE > AVP.EXE > AVP32.EXE > AVPCC.EXE > AVPDOS32.EXE > AVPM.EXE > AVPTC32.EXE > AVPUPD.EXE > AVSCHED32.EXE > AVWIN95.EXE > AVWUPD32.EXE > BLACKD.EXE > BLACKICE.EXE > CFIADMIN.EXE > CFIAUDIT.EXE > CFINET.EXE > CFINET32.EXE > CLAW95.EXE > CLAW95CF.EXE > CLEANER.EXE > CLEANER3.EXE > DVP95.EXE > DVP95_0.EXE > ECENGINE.EXE > ESAFE.EXE > ESPWATCH.EXE > F-AGNT95.EXE > F-PROT.EXE > F-PROT95.EXE > F-STOPW.EXE > FINDVIRU.EXE > FP-WIN.EXE > FPROT.EXE > FRW.EXE > IAMAPP.EXE > IAMSERV.EXE > IBMASN.EXE > IBMAVSP.EXE > ICLOAD95.EXE > ICLOADNT.EXE > ICMON.EXE > ICSUPP95.EXE > ICSUPPNT.EXE > IFACE.EXE > IOMON98.EXE > JEDI.EXE > LOCKDOWN2000.EXE > LOOKOUT.EXE > LUALL.EXE > MOOLIVE.EXE > MPFTRAY.EXE > N32SCANW.EXE > NAVAPW32.EXE > NAVLU32.EXE > NAVNT.EXE > NAVW32.EXE > NAVWNT.EXE > NISUM.EXE > NMAIN.EXE > NORMIST.EXE > NUPGRADE.EXE > NVC95.EXE > OUTPOST.EXE > PADMIN.EXE > PAVCL.EXE > PAVSCHED.EXE > PAVW.EXE > PCCWIN98.EXE > PCFWALLICON.EXE > PERSFW.EXE > RAV7.EXE > RAV7WIN.EXE > RESCUE.EXE > SAFEWEB.EXE > SCAN32.EXE > SCAN95.EXE > SCANPM.EXE > SCRSCAN.EXE > SERV95.EXE > SMC.EXE > SPHINX.EXE > SWEEP95.EXE > TBSCAN.EXE > TCA.EXE > TDS2-98.EXE > TDS2-NT.EXE > VET95.EXE > VETTRAY.EXE > VSCAN40.EXE > VSECOMR.EXE > VSHWIN32.EXE > VSSTAT.EXE > WEBSCANX.EXE > WFINDV32.EXE > ZONEALARM.EXE > > The worm has separate process killing routines for Windows 9x and Windows > NT-based operating systems. > > > Affecting bank computers > > The worm has a large list of domains belonging mostly to banks. At startup > the worm checks the domain name of an infected computer and then compares it > to the its internal list. If the domain name matches, the worm enables > AutoDial feature on an infected computer by modifying the following Registry > key: > > > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet > Settings] > "EnableAutodial"=dword:00000001 > > The list of bank domains that the worm has includes banks from many > different countries: France, UK, Germany, Australia, Italy, Greece, Denmark, > New Zealand, Spain, Brasil, Romania, Poland, Argentina, Switzerland, > Finland, Taiwan, Turkey, Iceland, Slovakia, Korea, USA, South Africa, Baltic > Republics, Austria, Hungary, Norway, Czech Republic and some other > countries. > > > Side Effect > > According to reports, network printers start to print a lot of garbage when > the worm spreads in a network. This might be the side-effect of the worm's > attempts to infect a network. > > > Backdoor component > > The worm has a backdoor component similar to the one used in its previous > version. The backdoor listens to TCP port 1080 for commands from a remote > host. A hacker can connect to the backdoor and perform the following action: > > > > - get information about infected computer > - upload and download files > - start files > - delete files > - terminate processes > - get process list > - start keylogger > - start HTTP server on a selected port > ++ There is more on the web site. > > ================= > More information > From; Sophos Alert System: > More information about W32/Bugbear-B can be found at > http://www.sophos.com/virusinfo/analyses/w32bugbearb.html > > From; Trend Micro > For more information on PE_BUGBEAR.B please visit our Web sites at: > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR > . > A > > From;MessageLabs > For further information, please visit the MessageLabs website at: > http://www.messagelabs.com and > <http://www.messagelabs.com/viruseye/info/default.asp?frompage=introduction& > f > romurl=%2Fviruseye%2Fintro%2Fdefault%2Easp&virusname=W32%2FBugBear%2EB%2Dmm> > > From; Kaspersky Labs > For details describing Tanatos.a and Tanatos.b, please go to the > Kaspersky Virus Encyclopedia at: > http://www.viruslist.com/eng/viruslist.html?id=52245 > > From Symantec; > W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a > mass-mailing worm that also spreads through network shares. > The worm is polymorphic and also infects a select list of executable files. > The worm has keystroke-logging and backdoor capabilities and also attempts > to terminate the processes of various antivirus and firewall programs. > http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@xxxxxxx > > Symantec Removal tool > http://www.symantec.com/avcenter/venc/data/w32.bugbear@xxxxxxxxxxxxxxxxxxxx > > > > ~*~*~*~*~ > To subscribe to our list send an email > to hackfix-virushelp-request@xxxxxxxxxxxxx?Subject=subscribe. > > For a complete list of email commands for our list send > an email to ecartis@xxxxxxxxxxxxx with a subject line of > "info hackfix-virushelp" without the quotes. > ~*~*~*~*~ > > > To unsubscribe from this list send an email to > pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > OR by logging into the Web interface. To unsubscribe from this list send an email to pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the Web interface.