EMERGENCY ALERT: W32/Bugbear-A spreading rapidly Name: W32/Bugbear-A Aliases: Tanat, Tanatos Type: Win32 worm Date: 30 September 2002 Sophos has received several reports of this worm from the wild. Description W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts to spread via network shares. The worm copies itself to the Windows system folder as a file with a random four-letter name and an EXE extension and adds to the following registry entry to run this file on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce W32/Bugbear-A also drops a copy of itself in the Windows start up folder so that is run on system restart. The worm drops a randomly-named DLL file, which is related to logging keystrokes, in the Windows system folder. It can also terminate certain firewall and antivirus programs. A more detailed analysis of W32/Bugbear-A will be published here shortly. Please check again later. More information about W32/Bugbear-A can be found at http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
More from Kaspersky' 1. Tanatos - A Worm with a "Trojan" In Its Pocket A new multi-component virus gathers steam. Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm called Tanatos, which is currently spreading via email and is busy hijacking confidential information from infected computers. Presently Kaspersky Labs has already received confirmation Tanatos infections in the UK. Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts and file attachment names. After the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly infects the machine. While infecting a victim computer the worm registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also sets a keyboard "bug" that records all keyboard actions to a specified file. The defense against Tanatos has already been added to the Kaspersky Anti-Virus databases. Please update your anti-virus software. More details covering the Tanatos Internet worm will soon be available in the Kaspersky Labs Anti-Virus Encyclopedia - http://www.viruslist.com.
Symantec: Detection is added for NAV in the virus-definitions of 30 Sept. 2002 (use Intelligent Updater to get them). http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html#threatassessment Note: due to the character @ in this link it is not possible to make this link easily clickable Quote: [hr] When W32.Bugbear@mm runs, it does the following, It copies itself as C:\%System%\F***.exe, where * represents letters chosen by the worm. NOTES: %system% is a variable. The worm locates the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location. It copies itself to the startup folder as C**.exe, where * represents letters chosen by the worm. For example, It may copy itself as C:\WINDOWS\Start Menu\Programs\Startup\CUU.EXE when runs in a Win9.X system; It may copy itself as C:\Documents and Settings\< current username>\Start Menu\Programs\Startup\CTI.EXE when runs in a Windows 2000/NT machine It creates the following files C:\%System%\iccyoa.dll C:\%System%\lgguqaa.dll C:\%System%\roomuaa.dll C:\%Windir%\okkqsa.dat C:\%Windir%\ussiwa.dat NOTES: %Windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and creates files to that location. It adds a value that refers to the worm file to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce It kills the following processes if they are running in system, ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE It attempts to copy itself to the Startup folder of remote machines on the network as C**.EXE, where * represents letters chosen by the worm. It searches email addresses in current inbox and in the files with the following extensions MMF NCH MBX EML TBB DBX It then emails itself to all email addresses it finds. It opens a TCP port 36794 and allows the remote hacker to take control of the compromised computer.
A friend in Brazil email has been compromised as I was sent this virus as a .pif attachment. NOD32 caught it.
I rec'd W32/Bugbear in an attachment from a person known to me. NOD32 caught it & I've informed the sender about it. So it's doing the rounds in Australia.
I think we are past the peak now. I'm not getting near the hits today I got yesterday. And whats really amazing is that it takes a user to clik an attachment for it to work, and the numbers are in the thousands. I wonder what its going to take to get the avg. user enlightened?
Had 3 hits tonight from it, an exe.pif attachment sent with the subject 'FW-Jokes' obviously Nod caught them all.
It is very widespread in Australia ... we've received more than fifteen hundred Bugbear emails in the past two days ... some of them "from" us "to" us" ... and the phones have been running hot. (Apparently it was announced on the radio that NOD32 is the only antivirus program which is not attacked and disabled by Bugbear.) Chances are the person you informed about it wasn't the sender. Bugbear uses more sophisticated address spoofing than Klez, and will often combine text prior to the @ symbol in one address with text following the @ symbol from another address to create a non-existent "sender".
If you want to delete the file, just go to Norton's Quarantine, highlight the file, and click the Delete Item button. Then it'll be gone. If you want to recheck your system after doing that, running a full system scan can't hurt. It's good that NAV caught it and told you about it. You are probably perfectly fine and you'll feel better after you've killed that buggy bear. LowWaterMark
As LowWaterMark said, you are probably completely fine. I'm guessing it caught it in an e-mail, while the e-mail was downloading? (i.e. do you have NAV's e-mail scanning on?) If so, a Full Scan wouldn't hurt, but probably won't find anything. If, however, it caught it executing from the hard drive, or in memory, I would do a full system scan right away. -Javacool
Thanks Low and Java! Norton caught it on an incoming e-mail and quarteened it before it could even finish downloading. The file must have been huge, because even after quarantine I had to END TASK to get my e-mail to make any sense. I had something like 25 incoming e-mails listed, when in actuality it was only about 10! Can't thank you enough. Realize that I am so computer challenged and helpless! I have deleted it, and am now scanning my system! Thanks a bunch guys, you have decreased my anxiety significantly!
Thought you might like to know that the Bugbear was particularly persistent in trying to break through into my e-mail. Every time I would close e-mail, and re-open it, there was that dirty little cuss trying to get in! I will bet that I deleted him ten times! The title of the e-mail was something like "Give Me A Home"! Yep, like he11! Scanning system for about the third time! YIKES!
There is a free Bugbear cleaner on http://www.nod32.com.au ... link on the front page. Unlike some other standalone cleaners, it works ... and it's not another virus. There is also a cleaner/immunizer for Opaserv