[24hoursupport] Virus Alert: Subject: W32/Bugbear

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: 24hoursupport@xxxxxxxxxxxxx
  • Date: Mon, 30 Sep 2002 14:23:10 -0700


Virus Alert: Subject: W32/Bugbear

Aliases; Bugbear, NATOSTA.A, Tanat, W32/Tanat, I-Worm.Tanatos

 Threat level 2 
(New virus causing large infections. Might be local to a specific region.)

Win32 worm 
Size: 50.688 KB
Platform: Microsoft Windows 95/98/NT/2000/XP
Discovered: September 30, 2002

Worm/Tanatos is an Internet worm packed with UPX that attempts 
to spread through e-mail and shared network drives. 

If executed, the worm copies itself within Windows 9x systems in the
\windows\%system% directory under the filename "DFAV.EXE" 
(the four characters in the filename are random). 
The worm copies itself within Windows 2k systems in the 
\winnt\system32 directory under the filename
"DFAV.EXE" (the four characters in the filename are random). 
Additionally, the files "vkgvuaa.dll" (5.632 bytes with randomly 
selected filename) and "xgoxmaa.dll" 
(randomly filename and size (logfile)). Also, the file
"WCA.EXE" (50.688 Bytes and filename is random) gets added in the
C:\Windows\Start Menu\Programs\Startup\. 

So that it gets run each time a user restart their computer the following
registry key gets added:


The registry name "bta" can be random.

The worm creates C:\Windows\YesYia.dat (2 bytes with randomly filename). 

Worm/Tanatos tries to terminate a long list of security application
processes (antivirus software, firewall applications). It will also open a
TCP port 36794. By doing so, this potentially allows remote administration
on the infected computer.

Information borrowed from  "CENTRALCOMMAND.COM  Vexira Antivirus" 
Full virus description can be read at:

Tanatos is a mass-mailing worm with keylogging and backdoor capabilties. It
appeared in the wild on 30th of September 2002. The worm's file is a PE EXE
(portable executable), 50688 bytes long and it is compressed with UPX file


Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
See my Anti-Virus pages ~ http://virusinfo.hackfix.org 

- Users can unsubscribe from this list by sending email to 
24hoursupport-request@xxxxxxxxxxxxx with 'unsubscribe' in the 
Subject field OR by logging into the Web interface at

Other related posts:

  • » [24hoursupport] Virus Alert: Subject: W32/Bugbear