[virusinfo] Sophos Anti-Virus IDE alert: W32/Bugbear-E

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 06 Apr 2004 13:05:25 -0700

From; Sophos Alert System:

Name: W32/Bugbear-E
Aliases: W32/Bugbear.gen@MM, W32.Bugbear.E@mm
Type: Win32 worm
Date: 6 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2004 (3.81) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/Bugbear-E can be found at:
http://www.sophos.com/virusinfo/analyses/w32bugbeare.html
Description 
W32/Bugbear-E is a worm that spreads using its own SMTP engine by emailing
itself to the addresses found within files on the local computer whose names
contain the string "inbox", or have an extension of DBX, TBB, EML, MBX, NCH,
MMF or ODS. 
W32/Bugbear-E may arrive in email with a subject line chosen from -
Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
good news!
Your News Alert
Greets! 

The attached file can have the same filename as another file on the
victim=92s computer, will have an extension of SCR, EXE, PIF or ZIP and may
have a double extension. 

Attachments with an extension of SCR, EXE or PIF attempt to exploit a known
vulnerability in Microsoft Internet Explorer 5.01/5.5, so that the
attachment is run automatically when the email message is opened. See
Microsoft Security Bulletin MS01-027. 

Attachments with a ZIP extension contain zipped HTML with a base64 encoded
version of the worm that attempts to exploit the codebase vulnerability
associated with Microsoft Internet Explorer to decode and run the worm
automatically when the HTML file is opened. 

When first run W32/Bugbear-E copies itself to the Windows System folder,
using a randomly-generated filename and adds the pathname of this copy to a
new random sub-key of the following registry entry to run itself on startup:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

W32/Bugbear-E creates three DLL files with random names in the Windows
system folder. One provides keylogging functionality and is detected as
W32/Bugbear-B. 

W32/Bugbear-E also logs keystrokes, clipboard text and window text and
emails this data to a remote account. 

W32/Bugbear-E attempts to terminate a number processes related to the
following anti-virus and security applications:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NEALARM.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE 
 
 
Recovery 
Please follow the instructions for removing worms 

Download the IDE file from:
http://www.sophos.com/downloads/ide/bbear-e.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Bugbear-E

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---