[pcductape] Re: FW: Virus alert; PE_BUGBEAR.B / PE_BUGBEAR.B / WORM_BUGBEAR.A / I-Worm.Tanatos.B

  • From: "Ctm007" <ctm007@xxxxxxxxxxxxxx>
  • To: <pcductape@xxxxxxxxxxxxx>
  • Date: Fri, 13 Jun 2003 00:26:01 -0500

Hi Pam,
Thanks for that very informative email message about the worm bugbear.
That darn thing disables anti-virus programs!    So how do we prevent
re-infection?    I notice it has targeted banks world wide.    Good gosh.
I have joined the AV  list.   I need to stay uptodate on virus.
Carl

----- Original Message ----- 
From: "Pam" <ltf01@xxxxxxxxxx>
To: <pcductape@xxxxxxxxxxxxx>
Sent: Friday, June 13, 2003 12:12 AM
Subject: [pcductape] FW: Virus alert; PE_BUGBEAR.B / PE_BUGBEAR.B /
WORM_BUGBEAR.A / I-Worm.Tanatos.B


> This comes from a virus list I am on.  Very reliable folks.  Anyone who
> cares to join the AV group and stay up on the most current nasties I left
> the footer at the bottom of this message.
> I am not affiliated with these folks, just been a member of their list for
> several years and followed them over when they migrated from yahoo to
> freelists.
>
> Pam
>
> ******************************************
>
>
> From F-Secure
> http://f-secure.com/v-descs/bugbear_b.shtml
> NAME: Bugbear.B
> ALIAS: W32/Bugbear.B@mm, W32/Kijmo.A, I-Worm.Tanatos.B, Win32.Bugbear.B
>
>
>
> THIS VIRUS IS RANKED AS LEVEL 1 ALERT
> UNDER F-SECURE RADAR.
> For more information, see:
> http://www.F-Secure.com/products/radar/
>
>
>
>
> UPDATE (2003-06-05 15:00 GMT)
>
> F-Secure is raising the alert level on Bugbear.B (Tanatos.B) to level 1 as
> it continues to spread rapidly. The number of reported infections have
> increased drastically over the last 10 hours.
>
> UPDATE (2003-06-05 9:55 GMT)
>
> A new polymorphic virus - worm known as Bugbear.B is spreading in the
wild.
> The worm sends e-mails with various contents. It uses a known
vulnerability
> to execute the attachment automatically when the e-mail is opened.
>
> UPDATE (2003-06-05 7:30 GMT)
>
> A new polymorphic variant of Bugbear worm (Bugbear.B) was found in the
wild
> early morning on June 5th, 2003.
>
>
> Technical Description
>
> The worm's file is a Windows PE executable file compressed with UPX file
> compressor and encrypted with a simple cryptoalgorithm that changes in
every
> worm generation making the worm polymorphic. The packed worm's file size
is
> 72192 bytes, the unpacked size is over 170 kilobytes.
>
>
> Installation to system
>
> When the worm's file is run, it installs itself to system by infecting
files
> of several popular applications and system tools. The following files in
> Program Files and Windows folders are infected:
>
>
>  %ProgramFilesDir%\winzip\winzip32.exe
>  %ProgramFilesDir%\kazaa\kazaa.exe
>  %ProgramFilesDir%\ICQ\Icq.exe
>  %ProgramFilesDir%\DAP\DAP.exe
>  %ProgramFilesDir%\Winamp\winamp.exe
>  %ProgramFilesDir%\AIM95\aim.exe
>  %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
>  %ProgramFilesDir%\Trillian\Trillian.exe
>  %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
>  %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
>  %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
>  %ProgramFilesDir%\WS_FTP\WS_FTP95.exe
>  %ProgramFilesDir%\MSN Messenger\msnmsgr.exe
>  %ProgramFilesDir%\ACDSee32\ACDSee32.exe
>  %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
>  %ProgramFilesDir%\CuteFTP\cutftp32.exe
>  %ProgramFilesDir%\Far\Far.exe
>  %ProgramFilesDir%\Outlook Express\msimn.exe
>  %ProgramFilesDir%\Real\RealPlayer\realplay.exe
>  %ProgramFilesDir%\Windows Media Player\mplayer2.exe
>  %ProgramFilesDir%\WinRAR\WinRAR.exe
>  %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
>  %ProgramFilesDir%\Internet Explorer\iexplore.exe
>  %WinDir%\winhelp.exe
>  %WinDir%\notepad.exe
>  %WinDir%\hh.exe
>  %WinDir%\mplayer.exe
>  %WinDir%\regedit.exe
>  %WinDir%\scandskw.exe
>
> where %ProgramFilesDir% is a Program Files directory and %WinDir% is
Windows
> directory.
>
> The worm can also drop its file to Startup folder with a random name or as
> SETUP.EXE, so it will be activated on next system restart. Additionally
the
> worm drops a keylogging component in Windows System directory with a
random
> name and DLL extension. The name can be MGLKCKK.DLL for example. Also the
> worm creates 2 additional files in Windows System folder where it stores
its
> data in encrypted form.
>
>
> Spreading in e-mails
>
> The worm spreads in e-mail messages. It has its own SMTP engine. To find
> e-mail addresses the worm looks for files with the following names and
> extensions:
>
>
>  .ODS
>  .MMF
>  .NCH
>  .MBX
>  .EML
>  .TBB
>  .DBX
>  INBOX
>
> Some of such files are e-mail databases and they contain a lot of e-mail
> addresses. The worm sends itself to all found addresses. However, it
avoids
> sending itself to e-mail addresses containing any of the following:
>
>
>  remove
>  spam
>  undisclosed
>  recipients
>  noreply
>  lyris
>  virus
>  trojan
>  mailer-daemon
>  postmaster@
>  root@
>  nobody@
>  localhost
>  localdomain
>  list
>  talk
>  ticket
>  majordom
>
> The subject of an infected message is either taken from random files on an
> infected computer or selected from the following list:
>
>
>  Greets!
>  Get 8 FREE issues - no risk!
>  Hi!
>  Your News Alert
>  $150 FREE Bonus!
>  Re:
>  Your Gift
>  New bonus in your cash account
>  Tools For Your Online Business
>  Daily Email Reminder
>  News
>  free shipping!
>  its easy
>  Warning!
>  SCAM alert!!!
>  Sponsors needed
>  new reading
>  CALL FOR INFORMATION!
>  25 merchants and rising
>  Cows
>  My eBay ads
>  empty account
>  Market Update Report
>  click on this!
>  fantastic
>  wow!
>  bad news
>  Lost & Found
>  New Contests
>  Today Only
>  Get a FREE gift!
>  Membership Confirmation
>  Report
>  Please Help...
>  Stats
>  I need help about script!!!
>  Interesting...
>  Introduction
>  various
>  Announcement
>  history screen
>  Correction of errors
>  Just a reminder
>  Payment notices
>  hmm..
>  update
>  Hello!
>
> The body of an infected message can be empty or it can contain a text from
a
> random file on an infected comuter. The body of an infected message can
> contain I-Frame exploit. It allows the worm to run automatically on some
> computers when an infected e-mail is viewed (for example, with Outlook and
> IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is
available
> on Microsoft site:
>
>
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
>
>
> The attachment name can be SETUP.EXE or it can contain one of the
following
> strings:
>
>
>  readme
>  Setup
>  Card
>  Docs
>  news
>  image
>  images
>  pics
>  resume
>  photo
>  video
>  music
>  song
>  data
>
> The worm can also "borrow" a name from a random file on an infected
> computer. The extension of an infected attachment is selected from the
> following list:
>
>
>  exe
>  scr
>  pif
>
> In case the worm used a file's name from an infected computer, the worm's
> attachment can have 2 or more extensions, for example DOCUMENT.DOC.EXE .
The
> worm checks the extension of the file it borrows the name from and sets
the
> content type of its attachment in an infected message accordingly.
>
> Extensions the worm checks:
>
>
>  reg
>  ini
>  bat
>  h
>  diz
>  txt
>  cpp
>  c
>  html
>  htm
>  jpeg
>  jpg
>  gif
>  cpl
>  dll
>  vxd
>  sys
>  com
>  exe
>  bmp
>
> Worm's attachment content types:
>
>
>  image/gif
>  image/jpeg
>  application/octet-stream
>  text/plain
>  text/html
>
> The worm fakes sender's e-mail address, so if you receive an infected
> message please do not reply to it as it will most likely go to a person
> whose computer is not infected by the worm.
>
>
> Spreading in local network
>
> The worm has the ability to infect remote computers over a local network.
It
> waits for some time before starting its infection cycle and then
enumerates
> network shares, connects to them and tries to infect the following files
in
> Program Files and Windows folders on remote computers:
>
>
>  %ProgramFilesDir%\winzip\winzip32.exe
>  %ProgramFilesDir%\kazaa\kazaa.exe
>  %ProgramFilesDir%\ICQ\Icq.exe
>  %ProgramFilesDir%\DAP\DAP.exe
>  %ProgramFilesDir%\Winamp\winamp.exe
>  %ProgramFilesDir%\AIM95\aim.exe
>  %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
>  %ProgramFilesDir%\Trillian\Trillian.exe
>  %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
>  %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
>  %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
>  %ProgramFilesDir%\WS_FTP\WS_FTP95.exe
>  %ProgramFilesDir%\MSN Messenger\msnmsgr.exe
>  %ProgramFilesDir%\ACDSee32\ACDSee32.exe
>  %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
>  %ProgramFilesDir%\CuteFTP\cutftp32.exe
>  %ProgramFilesDir%\Far\Far.exe
>  %ProgramFilesDir%\Outlook Express\msimn.exe
>  %ProgramFilesDir%\Real\RealPlayer\realplay.exe
>  %ProgramFilesDir%\Windows Media Player\mplayer2.exe
>  %ProgramFilesDir%\WinRAR\WinRAR.exe
>  %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
>  %ProgramFilesDir%\Internet Explorer\iexplore.exe
>  %WinDir%\winhelp.exe
>  %WinDir%\notepad.exe
>  %WinDir%\hh.exe
>  %WinDir%\mplayer.exe
>  %WinDir%\regedit.exe
>  %WinDir%\scandskw.exe
>
> where %ProgramFilesDir% is a Program Files directory and %WinDir% is
Windows
> directory.
>
> Also the worm tries to locate common startup folder on remote computers
and
> copies itself there as SETUP.EXE or with a random name and .EXE extension.
>
> As a result remote computers will become infected either after restart or
> after a user there runs an infected file.
>
>
> Killing processes
>
> The worm kills processes of certain anti-virus, security and other
programs.
> It lists active processes every 20 seconds and terminates processes whose
> file names match any of the following:
>
>
>  _AVP32.EXE
>  _AVPCC.EXE
>  _AVPM.EXE
>  ACKWIN32.EXE
>  ANTI-TROJAN.EXE
>  APVXDWIN.EXE
>  AUTODOWN.EXE
>  AVCONSOL.EXE
>  AVE32.EXE
>  AVGCTRL.EXE
>  AVKSERV.EXE
>  AVNT.EXE
>  AVP.EXE
>  AVP32.EXE
>  AVPCC.EXE
>  AVPDOS32.EXE
>  AVPM.EXE
>  AVPTC32.EXE
>  AVPUPD.EXE
>  AVSCHED32.EXE
>  AVWIN95.EXE
>  AVWUPD32.EXE
>  BLACKD.EXE
>  BLACKICE.EXE
>  CFIADMIN.EXE
>  CFIAUDIT.EXE
>  CFINET.EXE
>  CFINET32.EXE
>  CLAW95.EXE
>  CLAW95CF.EXE
>  CLEANER.EXE
>  CLEANER3.EXE
>  DVP95.EXE
>  DVP95_0.EXE
>  ECENGINE.EXE
>  ESAFE.EXE
>  ESPWATCH.EXE
>  F-AGNT95.EXE
>  F-PROT.EXE
>  F-PROT95.EXE
>  F-STOPW.EXE
>  FINDVIRU.EXE
>  FP-WIN.EXE
>  FPROT.EXE
>  FRW.EXE
>  IAMAPP.EXE
>  IAMSERV.EXE
>  IBMASN.EXE
>  IBMAVSP.EXE
>  ICLOAD95.EXE
>  ICLOADNT.EXE
>  ICMON.EXE
>  ICSUPP95.EXE
>  ICSUPPNT.EXE
>  IFACE.EXE
>  IOMON98.EXE
>  JEDI.EXE
>  LOCKDOWN2000.EXE
>  LOOKOUT.EXE
>  LUALL.EXE
>  MOOLIVE.EXE
>  MPFTRAY.EXE
>  N32SCANW.EXE
>  NAVAPW32.EXE
>  NAVLU32.EXE
>  NAVNT.EXE
>  NAVW32.EXE
>  NAVWNT.EXE
>  NISUM.EXE
>  NMAIN.EXE
>  NORMIST.EXE
>  NUPGRADE.EXE
>  NVC95.EXE
>  OUTPOST.EXE
>  PADMIN.EXE
>  PAVCL.EXE
>  PAVSCHED.EXE
>  PAVW.EXE
>  PCCWIN98.EXE
>  PCFWALLICON.EXE
>  PERSFW.EXE
>  RAV7.EXE
>  RAV7WIN.EXE
>  RESCUE.EXE
>  SAFEWEB.EXE
>  SCAN32.EXE
>  SCAN95.EXE
>  SCANPM.EXE
>  SCRSCAN.EXE
>  SERV95.EXE
>  SMC.EXE
>  SPHINX.EXE
>  SWEEP95.EXE
>  TBSCAN.EXE
>  TCA.EXE
>  TDS2-98.EXE
>  TDS2-NT.EXE
>  VET95.EXE
>  VETTRAY.EXE
>  VSCAN40.EXE
>  VSECOMR.EXE
>  VSHWIN32.EXE
>  VSSTAT.EXE
>  WEBSCANX.EXE
>  WFINDV32.EXE
>  ZONEALARM.EXE
>
> The worm has separate process killing routines for Windows 9x and Windows
> NT-based operating systems.
>
>
> Affecting bank computers
>
> The worm has a large list of domains belonging mostly to banks. At startup
> the worm checks the domain name of an infected computer and then compares
it
> to the its internal list. If the domain name matches, the worm enables
> AutoDial feature on an infected computer by modifying the following
Registry
> key:
>
>
>  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings]
>  "EnableAutodial"=dword:00000001
>
> The list of bank domains that the worm has includes banks from many
> different countries: France, UK, Germany, Australia, Italy, Greece,
Denmark,
> New Zealand, Spain, Brasil, Romania, Poland, Argentina, Switzerland,
> Finland, Taiwan, Turkey, Iceland, Slovakia, Korea, USA, South Africa,
Baltic
> Republics, Austria, Hungary, Norway, Czech Republic and some other
> countries.
>
>
> Side Effect
>
> According to reports, network printers start to print a lot of garbage
when
> the worm spreads in a network. This might be the side-effect of the worm's
> attempts to infect a network.
>
>
> Backdoor component
>
> The worm has a backdoor component similar to the one used in its previous
> version. The backdoor listens to TCP port 1080 for commands from a remote
> host. A hacker can connect to the backdoor and perform the following
action:
>
>
>
>  - get information about infected computer
>  - upload and download files
>  - start files
>  - delete files
>  - terminate processes
>  - get process list
>  - start keylogger
>  - start HTTP server on a selected port
> ++ There is more on the web site.
>
> =================
> More information
> From; Sophos Alert System:
> More information about W32/Bugbear-B can be found at
> http://www.sophos.com/virusinfo/analyses/w32bugbearb.html
>
> From; Trend Micro
> For more information on PE_BUGBEAR.B please visit our Web sites at:
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR
> .
> A
>
> From;MessageLabs
> For further information, please visit the MessageLabs website at:
> http://www.messagelabs.com and
>
<http://www.messagelabs.com/viruseye/info/default.asp?frompage=introduction&;
> f
>
romurl=%2Fviruseye%2Fintro%2Fdefault%2Easp&virusname=W32%2FBugBear%2EB%2Dmm>
>
> From; Kaspersky Labs
> For details describing Tanatos.a and Tanatos.b, please go to the
> Kaspersky Virus Encyclopedia at:
> http://www.viruslist.com/eng/viruslist.html?id=52245
>
> From Symantec;
> W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a
> mass-mailing worm that also spreads through network shares.
> The worm is polymorphic and also infects a select list of executable
files.
> The worm has keystroke-logging and backdoor capabilities and also attempts
> to terminate the processes of various antivirus and firewall programs.
> http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@xxxxxxx
>
> Symantec Removal tool
>
http://www.symantec.com/avcenter/venc/data/w32.bugbear@xxxxxxxxxxxxxxxxxxxx
>
>
>
> ~*~*~*~*~
> To subscribe to our list send an email
> to hackfix-virushelp-request@xxxxxxxxxxxxx?Subject=subscribe.
>
> For a complete list of email commands for our list send
> an email to ecartis@xxxxxxxxxxxxx with a subject line of
> "info hackfix-virushelp" without the quotes.
> ~*~*~*~*~
>
>
> To unsubscribe from this list send an email to
> pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> OR by logging into the Web interface.

To unsubscribe from this list send an email to
pcductape-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR by logging into the Web interface. 

Other related posts: