Virus Alert: Subject: W32/Bugbear Aliases; Bugbear, NATOSTA.A, Tanat, W32/Tanat, I-Worm.Tanatos Threat level 2 (New virus causing large infections. Might be local to a specific region.) Type Win32 worm Size: 50.688 KB Platform: Microsoft Windows 95/98/NT/2000/XP Discovered: September 30, 2002 Description: ------------ Worm/Tanatos is an Internet worm packed with UPX that attempts to spread through e-mail and shared network drives. If executed, the worm copies itself within Windows 9x systems in the \windows\%system% directory under the filename "DFAV.EXE" (the four characters in the filename are random). The worm copies itself within Windows 2k systems in the \winnt\system32 directory under the filename "DFAV.EXE" (the four characters in the filename are random). Additionally, the files "vkgvuaa.dll" (5.632 bytes with randomly selected filename) and "xgoxmaa.dll" (randomly filename and size (logfile)). Also, the file "WCA.EXE" (50.688 Bytes and filename is random) gets added in the C:\Windows\Start Menu\Programs\Startup\. So that it gets run each time a user restart their computer the following registry key gets added: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce bta=DFAV.EXE The registry name "bta" can be random. The worm creates C:\Windows\YesYia.dat (2 bytes with randomly filename). Payload: Worm/Tanatos tries to terminate a long list of security application processes (antivirus software, firewall applications). It will also open a TCP port 36794. By doing so, this potentially allows remote administration on the infected computer. Refferences: Information borrowed from "CENTRALCOMMAND.COM Vexira Antivirus" Full virus description can be read at: <http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.ph p?p_refno=020930-000024> ~~~ F-secure http://www.europe.f-secure.com/v-descs/tanatos.shtml Tanatos is a mass-mailing worm with keylogging and backdoor capabilties. It appeared in the wild on 30th of September 2002. The worm's file is a PE EXE (portable executable), 50688 bytes long and it is compressed with UPX file compressor. ~~~ Trend <http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=a&virus=W32%2FBu gbear&alt=Bugbear&key=&payload=&type=&day=&month=&year=&wkday=> ~~~~ McAfee http://www.mcafee.com/anti-virus/viruses/bugbear/ ~~~~ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www.mwn.ca/ <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> See my Anti-Virus pages ~ http://virusinfo.hackfix.org <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> - Users can unsubscribe from this list by sending email to 24hoursupport-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the Web interface at http://web.tampabay.rr.com/spider1/24hrsupport.htm.