Win32.BugBear.A@mm

( I-Worm.Tanatos )
Propagación : alto
Daño : medio
Tamaño: 50688 bytes, 5632 bytes
Detectado : 2005 May 31

SINTOMAS:

  • most common the network printers or local shared printers begin to print the ASCII format of the virus;

  • the presence of any emails or files mentioned in the technical description;

    • DESCRIPCIÓN TÉCNICA:

    This is an Internet worm that is spreading trough e-mail. The infected e-mail has the following characteristics:

    Subject: Randomly selected from:
    Hello!
    update
    hmm..
    Payment notices
    Just a reminder
    Correction of errors
    history screen
    Announcement
    various
    Introduction
    Interesting...
    I need help about script!!!
    Stats
    Please Help...
    Report
    Membership Confirmation
    Get a FREE gift!
    Today Only
    New Contests
    Lost & Found
    bad news
    wow!
    fantastic
    click on this!
    Market Update Report
    empty account
    My eBay ads
    Cows
    25 merchants and rising
    CALL FOR INFORMATION!

    Attachment: Double extension file with final extension: .exe, .pif, .scr.

    The worm uses the IFRAME exploit and it will execute itself on preview on some computers with older variants of Internet Explorer.

    After the attachment is executed the worm copies itself under a random name in %SYSDIR% and it creates a registry key in:

    HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%name%

    with value %SYSDIR%\\%name% where %SYSDIR% is the system directory and %name% is the random generated name.

    It will also copy itself under: %WINDIR%\\Start Menu\\Programs\\StartUp\\%name% on Win9x or Documents and Settings\\%user%\\Start Menu\\Programs\\StartUp\\%name% on Windows2000/XP where %user% is the currently logged user name.

    The worm drops a dll file in %SYSDIR% that will be used for logging all the keystrokes. That dll is detected as Trojan.KeyLogger.BugBear.A

    Also the worm creates 2 .dat files in %WINDIR% and 2 .dll files in %SYSDIR%. Those files are data files and are used by the virus to store all the information gathered from that computer.

    The worm has one thread that periodically checks the existence of it\'s files and the runonce registry key and kills the following processes:

    ZONEALARM.EXE
    WFINDV32.EXE
    WEBSCANX.EXE
    VSSTAT.EXE
    VSHWIN32.EXE
    VSECOMR.EXE
    VSCAN40.EXE
    VETTRAY.EXE
    VET95.EXE
    TDS2-NT.EXE
    TDS2-98.EXE
    TCA.EXE
    TBSCAN.EXE
    SWEEP95.EXE
    SPHINX.EXE
    SMC.EXE
    SERV95.EXE
    SCRSCAN.EXE
    SCANPM.EXE
    SCAN95.EXE
    SCAN32.EXE
    SAFEWEB.EXE
    RESCUE.EXE
    RAV7WIN.EXE
    RAV7.EXE
    PERSFW.EXE
    PCFWALLICON.EXE
    PCCWIN98.EXE
    PAVW.EXE
    PAVSCHED.EXE
    PAVCL.EXE
    PADMIN.EXE
    OUTPOST.EXE
    NVC95.EXE
    NUPGRADE.EXE
    NORMIST.EXE
    NMAIN.EXE
    NISUM.EXE
    NAVWNT.EXE
    NAVW32.EXE
    NAVNT.EXE
    NAVLU32.EXE
    NAVAPW32.EXE
    N32SCANW.EXE
    MPFTRAY.EXE
    MOOLIVE.EXE
    LUALL.EXE
    LOOKOUT.EXE
    LOCKDOWN2000.EXE
    JEDI.EXE
    IOMON98.EXE
    IFACE.EXE
    ICSUPPNT.EXE
    ICSUPP95.EXE
    ICMON.EXE
    ICLOADNT.EXE
    ICLOAD95.EXE
    IBMAVSP.EXE
    IBMASN.EXE
    IAMSERV.EXE
    IAMAPP.EXE
    FRW.EXE
    FPROT.EXE
    FP-WIN.EXE
    FINDVIRU.EXE
    F-STOPW.EXE
    F-PROT95.EXE
    F-PROT.EXE
    F-AGNT95.EXE
    ESPWATCH.EXE
    ESAFE.EXE
    ECENGINE.EXE
    DVP95_0.EXE
    DVP95.EXE
    CLEANER3.EXE
    CLEANER.EXE
    CLAW95CF.EXE
    CLAW95.EXE
    CFINET32.EXE
    CFINET.EXE
    CFIAUDIT.EXE
    CFIADMIN.EXE
    BLACKICE.EXE
    BLACKD.EXE
    AVWUPD32.EXE
    AVWIN95.EXE
    AVSCHED32.EXE
    AVPUPD.EXE
    AVPTC32.EXE
    AVPM.EXE
    AVPDOS32.EXE
    AVPCC.EXE
    AVP32.EXE
    AVP.EXE
    AVNT.EXE
    AVKSERV.EXE
    AVGCTRL.EXE
    AVE32.EXE
    AVCONSOL.EXE
    AUTODOWN.EXE
    APVXDWIN.EXE
    ANTI-TROJAN.EXE
    ACKWIN32.EXE
    _AVPM.EXE
    _AVPCC.EXE
    _AVP32.EXE

    On a different thread it will scan for mail databases with the extensions: .ods, .inbox, .mmf, .nch, .mbx, .eml, .tbb, .dbx, and will gather some of the e-mails found there. The Worm is spreading to local network as well, by searching the StartUp folder in network shares, and dropping itself there.

    It also opens port 36794 and waits for HTTP connections.

    INSTRUCCIONES DE LIMPIEZA:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiBugBear tool does the following:
  • it delets all the files created by Win32.BugBear.A@mm;

  • it deletes the files created by Trojan.KeyLogger.BugBear.A;

  • it kills the process from memory;

  • it repairs the Windows registry.


    • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    ANALIZADO POR:

    Sorin Victor Dudea
    BitDefender Virus Researcher