W32/Bugbear-A

EMERGENCY ALERT: W32/Bugbear-A spreading rapidly

Name: W32/Bugbear-A
Aliases: Tanat, Tanatos
Type: Win32 worm
Date: 30 September 2002


Sophos has received several reports of this worm from the wild.

Description
W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts to spread via network shares. The worm copies itself to the Windows system folder as a file with a random four-letter name and an EXE extension and adds to the following registry entry to run this file on the next reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

W32/Bugbear-A also drops a copy of itself in the Windows start up folder so that is run on system restart.

The worm drops a randomly-named DLL file, which is related to logging keystrokes, in the Windows system folder. It can also terminate certain firewall and antivirus programs.

A more detailed analysis of W32/Bugbear-A will be published here shortly. Please check again later.



More information about W32/Bugbear-A can be found at
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html

[Primrose]

W32/Bugbear (more Info)

http://www.dslreports.com/forum/rema...ty,1~mode=flat

[Tinribs]

More from Kaspersky'

1. Tanatos - A Worm with a "Trojan" In Its Pocket
A new multi-component virus gathers steam.

Kaspersky Labs, an international data-security software developer,
announces the detection of a new Internet worm called Tanatos, which is
currently spreading via email and is busy hijacking confidential
information from infected computers.

Presently Kaspersky Labs has already received confirmation Tanatos
infections in the UK.

Tanatos is a Windows attachment about 50 KB in size (it is packed by the
UPX compression utility) and written in Microsoft Visual C++. The worm
is spreading via email attachment files with differing headings, body
texts and file attachment names. After the worm arrives in the inbox of
potential victims, Tanatos waits for its email message to be read (for
example, in the preview window), once this occurs, by exploiting the
"IFRAME" vulnerability in the Windows Explorer's security system, it
secretly infects the machine. While infecting a victim computer the worm
registers itself in the system registry auto-run key so that its
malicious code will activate each time Windows is booted.

Tanatos also sets a keyboard "bug" that records all keyboard actions to
a specified file.

The defense against Tanatos has already been added to the Kaspersky
Anti-Virus databases. Please update your anti-virus software.

More details covering the Tanatos Internet worm will soon be available
in the Kaspersky Labs Anti-Virus Encyclopedia - http://www.viruslist.com.

Symantec:

Detection is added for NAV in the virus-definitions of 30 Sept. 2002 (use Intelligent Updater to get them).

http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html#threatassessment

Note: due to the character @ in this link it is not possible to make this link easily clickable

Quote:
[hr]

When W32.Bugbear@mm runs, it does the following,

It copies itself as C:\%System%\F***.exe, where * represents letters chosen by the worm.

NOTES: %system% is a variable. The worm locates the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It copies itself to the startup folder as C**.exe, where * represents letters chosen by the worm. For example,

It may copy itself as C:\WINDOWS\Start Menu\Programs\Startup\CUU.EXE when runs in a Win9.X system;
It may copy itself as C:\Documents and Settings\< current username>\Start Menu\Programs\Startup\CTI.EXE when runs in a Windows 2000/NT machine

It creates the following files
C:\%System%\iccyoa.dll
C:\%System%\lgguqaa.dll
C:\%System%\roomuaa.dll
C:\%Windir%\okkqsa.dat
C:\%Windir%\ussiwa.dat

NOTES: %Windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and creates files to that location.

It adds a value that refers to the worm file to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

It kills the following processes if they are running in system,
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

It attempts to copy itself to the Startup folder of remote machines on the network as C**.EXE, where * represents letters chosen by the worm.

It searches email addresses in current inbox and in the files with the following extensions
MMF
NCH
MBX
EML
TBB
DBX

It then emails itself to all email addresses it finds.

It opens a TCP port 36794 and allows the remote hacker to take control of the compromised computer.

[Primrose]

Looks like everyone has that puppy covered...Now let us hope it goes away just as fast.

Yep,

Symantec released in the meantime a LiveUpdate for NAV (not happening very often on a monday).

[zappa]

A friend in Brazil email has been compromised as I was sent this virus as a .pif attachment. NOD32 caught it.

[bardau]

I rec'd W32/Bugbear in an attachment from a person known to me. NOD32 caught it & I've informed the sender about it. So it's doing the rounds in Australia.

[root]

I think we are past the peak now. I'm not getting near the hits today I got yesterday.
And whats really amazing is that it takes a user to clik an attachment for it to work, and the numbers are in the thousands.
I wonder what its going to take to get the avg. user enlightened?

[Tinribs]

Had 3 hits tonight from it, an exe.pif attachment sent with the subject 'FW-Jokes' obviously Nod caught them all.

[rodzilla]

Quote:

quoting: bardau link=board=31;threadid=3938;start=0#26455 date=1033635917]
I rec'd W32/Bugbear in an attachment from a person known to me. NOD32 caught it & I've informed the sender about it. So it's doing the rounds in Australia.

It is very widespread in Australia ... we've received more than fifteen hundred Bugbear emails in the past two days ... some of them "from" us "to" us" ... and the phones have been running hot. (Apparently it was announced on the radio that NOD32 is the only antivirus program which is not attacked and disabled by Bugbear.)

Chances are the person you informed about it wasn't the sender. Bugbear uses more sophisticated address spoofing than Klez, and will often combine text prior to the @ symbol in one address with text following the @ symbol from another address to create a non-existent "sender".

[CarolinaMoonshine]

Ye Gads! My Norton just quaranteened Bugbear! Now what?

[LowWaterMark]

If you want to delete the file, just go to Norton's Quarantine, highlight the file, and click the Delete Item button. Then it'll be gone.

If you want to recheck your system after doing that, running a full system scan can't hurt. It's good that NAV caught it and told you about it. You are probably perfectly fine and you'll feel better after you've killed that buggy bear.

LowWaterMark

[javacool]

Quote:

quoting: CarolinaMoonshine link=board=31;threadid=3938;start=0#26841 date=1034038542]
Ye Gads! My Norton just quaranteened Bugbear! Now what?

As LowWaterMark said, you are probably completely fine.

I'm guessing it caught it in an e-mail, while the e-mail was downloading? (i.e. do you have NAV's e-mail scanning on?) If so, a Full Scan wouldn't hurt, but probably won't find anything.

If, however, it caught it executing from the hard drive, or in memory, I would do a full system scan right away.

-Javacool

[CarolinaMoonshine]

Thanks Low and Java! Norton caught it on an incoming e-mail and quarteened it before it could even finish downloading. The file must have been huge, because even after quarantine I had to END TASK to get my e-mail to make any sense. I had something like 25 incoming e-mails listed, when in actuality it was only about 10!

Can't thank you enough. Realize that I am so computer challenged and helpless!

I have deleted it, and am now scanning my system!

Thanks a bunch guys, you have decreased my anxiety significantly!

[CarolinaMoonshine]

Thought you might like to know that the Bugbear was particularly persistent in trying to break through into my e-mail. Every time I would close e-mail, and re-open it, there was that dirty little cuss trying to get in!

I will bet that I deleted him ten times!

The title of the e-mail was something like "Give Me A Home"!

Yep, like he11!

Scanning system for about the third time! YIKES!

[rodzilla]

There is a free Bugbear cleaner on http://www.nod32.com.au ... link on the front page.

Unlike some other standalone cleaners, it works ... and it's not another virus.

There is also a cleaner/immunizer for Opaserv