Discussion in 'malware problems & news' started by Paul Wilders, Jun 5, 2003.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    On 4th June 2003, MessageLabs the email security company intercepted copies of a new mass-mailing virus called W32/Bugbear.B-mm, and intercepted the first copy originating from the United States.

    Name: W32/Bugbear.B-mm
    Aliases: W32/Kijmo-mm, W32/Shamur-mm
    Number of copies intercepted so far: 300+
    Time & Date first Captured: 4th June 2003 11:59GMT
    Origin of first intercepted copy: United States
    Number of countries seen active: 20 (currently mostly in US and Australia)

    Email characteristics:

    The sender address may be spoofed, and may not indicate the true address of the sender. The virus contains a number of domains that it appears to be capable of spoofing.

    Emails that we have thus far seen have varying subject lines, seemingly relating to information or documents plagiarised from the recipient’s infected machine.

    The body-text of the message is variable and appears to be taken from documents and files found on the recipient’s infected machine.

    The attachment is compressed in a modified UPX format. The file size is 72,192 bytes. Attachment names are also variable, possibly based on from filenames found on the infected machine with an extension of either .scr, .pif or .exe

    For example: Crimbo.exe.scr, Lotto.mbd.pif, 052003.ptx.exe, My Money Backup.mbf.scr, Captletterhead.doc.scr

    Virus Behaviour
    Initial analysis suggests that the virus is a mass mailer. It appears to be very polymorphic in nature and compressed using a variant of UPX, however, it seems to have the ability to repack or modify itself during each generation, presumably in an attempt to foil simple anti-virus signature fingerprinting techniques.

    In some copies that we have stopped, the MS01-020 auto-open exploit has been found, which will automatically execute the attachment just by reading the email on an unpatched Windows system.

    Virus Payload
    Initial analysis indicates that this virus may also be able to disarm local security software, such as anti-virus or firewall software. It may also be able to spread via network shares, as was the case with the earlier Bugbear.A strain. Furthermore, it may also install a key-logging trojan component that will enable an unscrupulous hacker to take control of the infected machine and download a file containing the user’s keystrokes, including information entered on websites such as passwords or credit-card details for example.

    The virus includes a number of domain names that it appears to be capable of spoofing, including many major international banks, financial institutions and government authorities.

    Paul Wood, Chief Information Analyst at MessageLabs said, “This is a particularly worrying trend in terms of the social engineering techniques now almost customary for any new virus to take hold.

    Particularly worrying is the fact that not only can Bugbear leach confidential information from an infected machine, but it may also leave a backdoor wide open for hackers to take control of the machine and misappropriate passwords, credit-card details or for some other nefarious purpose.

    “From the pattern of Bugbear.B emails that we have stopped already this morning, we anticipate that this is likely to reach high-level outbreak very soon, particularly as the US begin to come online.”

    MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.

    source: www.messagelabs.com

    note: this variant is already databased by NOD32 - update 1.427. NOD32 v2 Beta detects this variant even without the database update, due the the new advanced heuristics enabled in the IMON by default :cool: - paul.


  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Removal tool:


    Testing it now. :blink:


  3. Raul

    Raul Guest

    I got this pest today.
    It disabled my AV (Anti Vir 9x,Free version,updated last sunday) and my firewall (ZoneAlarm,Free too) not before this one warned me about a file named lxpf.exe was atempting to act as a server,or something like that.
    I disconnected my modem,searched for the file and find it at the start menu.It was impossible to delete it in Windows,so I did reboot in DOS and deleted it.(I think this was the Trojan?)
    After that,I reinstalled ZoneAlarm, reconnected the modem, updated the AV and run it.
    Bingo!Here it was, infecting Notepad.exe and hh.exe in windows directory and winzip32.exe in Program files\Winzip directory.It was identified as Worm\BugbearB.
    Question. Are Notepad.exe and hh.exe legitimate windows files?Can I safely remove them or they need to be reinstalled?
    Thank you in advance.

  4. zOK

    zOK Guest

    hh.exe = help files, Notepad = Notepad, both are needed, restore from disk.
  5. Raul

    Raul Guest

    Thank you for your fast response!
  6. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York

    Sophos has received many reports of this virus from the wild. Sophos has been detecting W32/Bugbear-B since 12:20 GMT on 5 June, but has issued this new IDE to improve detection and to include disinfection. This IDE also includes detection for damaged, non-working samples of W32/Bugbear-B. These non-working samples are detected as W32/Bugbear-Dam.

    W32/Bugbear-B is a network-aware virus. W32/Bugbear-B spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

    The virus attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this virus.)

    If the virus activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the virus. You will find:

    xxx.EXE (usually 72192 bytes) in the Startup folder
    zzzzzzz.DLL (usually 5632 bytes) in the System folder

    The EXE file is an executable copy of the virus. The DLL is a keystroke logging tool which is used by the virus when it is activated.

    The virus spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:

    more: http://www.sophos.com/virusinfo/analyses/w32bugbearb.html

  7. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
  8. Uguel707

    Uguel707 Graphic Artist

    Nov 9, 2002
    San Diego
    This week, many people from a little board I know received "bugbear" along with an exe file in their e-mails. I did too ... Never had nothing of that sort before. Of course, my AV could notice it, but...

    I wonder if that virus is increasing or is it just a pure coincidence?

    --Just a few people know my email adress and my adress never shows at that bord either--

    What do you think? o_O

    Bye, Uguel
  9. Dan Perez

    Dan Perez Retired Moderator

    May 18, 2003
    Sunny San Diego
    Hi Uguel,

    It's hard to say as I know of no really comprehensive reporting across all AV vendors' stats. A useful site to look (if only because the adjustable graphs) is


    Judging from this, BugBear.B peaked earlier in the month (it is unlear how much earlier) and is already over-shadowed by continuing Klez.H infestations. Once their next monthly report is out we will know the date of the peak but by then it's of less interest :)

    If anyone else knows of sites such as the URL above please post it as I would be very much interested.


  10. Uguel707

    Uguel707 Graphic Artist

    Nov 9, 2002
    San Diego
    Thank you Dan!

    Well, my home record is: 7 people (in three days!) complained about it! That forum may wecolme about 50 to 70 max users a day (judging by the number of posts read).
    So, I was wondering if the virus has risen out of proportion
    somehow. It may also take time before they give an accurate picture though. Not all people report virus.

    I''ll have a look at your link then. Bye ;)

Thread Status:
Not open for further replies.