FRISK Software International


Summary of W32/Bugbear.A@mm
Alias:I-Worm.Tanatos
Length: 50.688 bytes
Discovered: 30 Sep 2002
Definition files: 30 Sep 2002
Payload: Infected systems can be compromised using the backdoor capability of the worm.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Bugbear@mm is a mass-mailing worm with keylogging and backdoor capabilties. It appeared in the wild on 30th of September 2002. The worm's file is a PE EXE (portable executable), 50688 bytes long and it is compressed with UPX file compressor.


Technical Description
When run, the worm copies itself to Windows System directory with a random name (JFMV.EXE for example) and adds a startup key for this file to the Registry:
 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
The worm also drops a keylogging component as a DLL file with a randomly-generated name (ZLQPUPP.DLL for example) to Windows System folder. The worm also creates 2 more DLL files and stores some encrypted data there. The worm creates 2 randomly named DAT files in root Windows folder too.

The worm spreads in e-mail messages as an attachment with randomly-generated names and with one or more extensions. Subjects and bodies of infected e-mails are also different. The mass-mailing routine is quite complex.

The worm's messages can contain IFrame exploit that allows it to run automatically on some computers when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

The worm looks for e-mail addresses in INBOX (Netscape incoming e-mail database) and in files with the following extensions:

 .ODS
 .MMF
 .NCH
 .MBX
 .EML
 .TBB
 .DBX
Sometimes the worm picks up e-mail messages from infected user's database and sends them out with its copy attached. Also the worm can place contents of a random text file from an infected hard drive to an infected message's body. The worm can send itself in a message with one of the following subjects:

 Greets!
 Get 8 FREE issues - no risk!
 Hi!
 Your News Alert
 $150 FREE Bonus!
 Re:
 Your Gift
 New bonus in your cash account
 Tools For Your Online Business
 Daily Email Reminder
 News
 free shipping!
 its easy
 Warning!
 SCAM alert!!!
 Sponsors needed
 new reading
 CALL FOR INFORMATION!
 25 merchants and rising
 Cows
 My eBay ads
 empty account
 Market Update Report
 click on this!
 fantastic
 wow!
 bad news
 Lost & Found
 New Contests
 Today Only
 Get a FREE gift!
 Membership Confirmation
 Report
 Please Help...
 Stats
 I need help about script!!!
 Interesting...
 Introduction
 various
 Announcement
 history screen
 Correction of errors
 Just a reminder
 Payment notices
 hmm..
 update
 Hello!
The worm doesn't send itself to addresses that contain the following strings (to avoid bounces and other unwanted events):

 remove
 spam
 undisclosed
 recipients
 noreply
 lyris
 virus
 trojan
 mailer-daemon
 postmaster@
 root@
 nobody@
 localhost
 localdomain
 list
 talk
 ticket
 majordom
The worm can send itself as an attachment with with double extensions. The first extension can be one of the following:

 .reg
 .ini
 .bat
 .h
 .diz
 .txt
 .cpp
 .c
 .html
 .htm
 .jpeg
 .jpg
 .gif
The worm sets the content type of an infected attachment according to the above file types. Content type can be one of the following:

 image/gif
 image/jpeg
 application/octet-stream
 text/plain
 text/html
The second extension of an infected attachment can be one of the following:

 .scr
 .pif
 .exe
Also the worm can 'borrow' the name for its attachment from one of files on an infected hard drive and then to add an executable extension to it, for example it can send itself as AGREEMENT.DOC.PIF file. Also the name of an infected attachment can contain one of the following strings:


 readme
 Setup
 Card
 Docs
 news
 image
 images
 pics
 resume
 photo
 video
 music
 song
 data
The worm has local network spreading capabilities. The worm enumerates network resources and tries to locate \Start Menu\Programs\Startup\ folder on remote systems. If such path is found, the worm copies itself there with a random name. When a remote system is restarted, the worm's file gets control and infects a system.

The worm continuosly looks for and terminates processes with the below-given names:


 _AVP32.EXE
 _AVPCC.EXE
 _AVPM.EXE
 ACKWIN32.EXE
 ANTI-TROJAN.EXE
 APVXDWIN.EXE
 AUTODOWN.EXE
 AVCONSOL.EXE
 AVE32.EXE
 AVGCTRL.EXE
 AVKSERV.EXE
 AVNT.EXE
 AVP.EXE
 AVP32.EXE
 AVPCC.EXE
 AVPDOS32.EXE
 AVPM.EXE
 AVPTC32.EXE
 AVPUPD.EXE
 AVSCHED32.EXE
 AVWIN95.EXE
 AVWUPD32.EXE
 BLACKD.EXE
 BLACKICE.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLAW95.EXE
 CLAW95CF.EXE
 CLEANER.EXE
 CLEANER3.EXE
 DVP95.EXE
 DVP95_0.EXE
 ECENGINE.EXE
 ESAFE.EXE
 ESPWATCH.EXE
 F-AGNT95.EXE
 F-PROT.EXE
 F-PROT95.EXE
 F-STOPW.EXE
 FINDVIRU.EXE
 FP-WIN.EXE
 FPROT.EXE
 FRW.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 IBMASN.EXE
 IBMAVSP.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFACE.EXE
 IOMON98.EXE
 JEDI.EXE
 LOCKDOWN2000.EXE
 LOOKOUT.EXE
 LUALL.EXE
 MOOLIVE.EXE
 MPFTRAY.EXE
 N32SCANW.EXE
 NAVAPW32.EXE
 NAVLU32.EXE
 NAVNT.EXE
 NAVW32.EXE
 NAVWNT.EXE
 NISUM.EXE
 NMAIN.EXE
 NORMIST.EXE
 NUPGRADE.EXE
 NVC95.EXE
 OUTPOST.EXE
 PADMIN.EXE
 PAVCL.EXE
 PAVSCHED.EXE
 PAVW.EXE
 PCCWIN98.EXE
 PCFWALLICON.EXE
 PERSFW.EXE
 RAV7.EXE
 RAV7WIN.EXE
 RESCUE.EXE
 SAFEWEB.EXE
 SCAN32.EXE
 SCAN95.EXE
 SCANPM.EXE
 SCRSCAN.EXE
 SERV95.EXE
 SMC.EXE
 SPHINX.EXE
 SWEEP95.EXE
 TBSCAN.EXE
 TCA.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 VET95.EXE
 VETTRAY.EXE
 VSCAN40.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSSTAT.EXE
 WEBSCANX.EXE
 WFINDV32.EXE
 ZONEALARM.EXE
The worm uses separate routines for process killing on Windows 9x- and NT-based systems. In most cases the worm effectively disables security and anti-virus software that fail to detect it entering a system.

The worm listens to port 36794 and can provide access to an infected system and the network it is connected to via an internal backdoor component. The backdoor component allows an attacker to access an infected system through a web-based interface. The worm generates HTML pages on-the-fly when an attacker browses directories on an infected remote computer.

The worm contains several icons in gif format that it uses to identify the type of remote drives and files. The backdoor component also allows to browse shared network resources that an infected computer has access to. The worm also uses icons to identify network resources.

The worm allows an attacker to get certain control and information about an infected system: operating system(if it is windows based), fixed and network drives, list and kill processes. It can also delete, download, copy and execute files on the host.

The worm has password stealing capabilities. It installs a keylogging component to a system, records keystrokes and saves them into a file. Then the worm sends this file to a few e-mail addresses that are stored in encrypted for in the worm's body. The smtp server names that the worm uses to send the files are also stored in encrypted form in the worm's body.

According to reports, network printers start to print a lot of garbage when the worm infects a network. This might be the side-effect of the worm's attempts to infect a network.



Removal Instructions
To remove the worm from a system it's enough to delete all its files from a hard drive and to restart a computer. If the worm is in a network environment, the network should be temporarily taken down and all systems have to be disinfected separately. Otherwise the worm will try to re-infect already cleaned systems. Also after disinfection it is recommended to change all logins and passwords as they could have been compromised by the password stealer component of the worm. It is also recommended to check infected systems and networks for possible hacker intrusion that could have been performed through the backdoor component of the worm.

[This analysis was based on information from our partner company F-Secure Corp.: Alexey Podrezov; F-Secure Corp.; September 30th, 2002] edited by Ragnar Gisli Olafsson at Frisk Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is