From; Sophos Alert System: Name: W32/Bugbear-E Aliases: W32/Bugbear.gen@MM, W32.Bugbear.E@mm Type: Win32 worm Date: 6 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Bugbear-E can be found at: http://www.sophos.com/virusinfo/analyses/w32bugbeare.html Description W32/Bugbear-E is a worm that spreads using its own SMTP engine by emailing itself to the addresses found within files on the local computer whose names contain the string "inbox", or have an extension of DBX, TBB, EML, MBX, NCH, MMF or ODS. W32/Bugbear-E may arrive in email with a subject line chosen from - Hello! update Payment notices Just a reminder Correction of errors history screen Announcement various Introduction Interesting... I need help about script!!! Please Help... Report Membership Confirmation Today Only New Contests Lost & Found bad news fantastic click on this! Market Update Report empty account My eBay ads 25 merchants and rising CALL FOR INFORMATION! new reading Sponsors needed SCAM alert!!! Warning! its easy free shipping! Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift good news! Your News Alert Greets! The attached file can have the same filename as another file on the victim=92s computer, will have an extension of SCR, EXE, PIF or ZIP and may have a double extension. Attachments with an extension of SCR, EXE or PIF attempt to exploit a known vulnerability in Microsoft Internet Explorer 5.01/5.5, so that the attachment is run automatically when the email message is opened. See Microsoft Security Bulletin MS01-027. Attachments with a ZIP extension contain zipped HTML with a base64 encoded version of the worm that attempts to exploit the codebase vulnerability associated with Microsoft Internet Explorer to decode and run the worm automatically when the HTML file is opened. When first run W32/Bugbear-E copies itself to the Windows System folder, using a randomly-generated filename and adds the pathname of this copy to a new random sub-key of the following registry entry to run itself on startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run W32/Bugbear-E creates three DLL files with random names in the Windows system folder. One provides keylogging functionality and is detected as W32/Bugbear-B. W32/Bugbear-E also logs keystrokes, clipboard text and window text and emails this data to a remote account. W32/Bugbear-E attempts to terminate a number processes related to the following anti-virus and security applications: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE FINDVIRU.EXE FPROT.EXE F-PROT.EXE F-PROT95.EXE FP-WIN.EXE FRW.EXE F-STOPW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NEALARM.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE Recovery Please follow the instructions for removing worms Download the IDE file from: http://www.sophos.com/downloads/ide/bbear-e.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member