W32/Bugbear-A

Discussion in 'malware problems & news' started by FanJ, Sep 30, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    EMERGENCY ALERT: W32/Bugbear-A spreading rapidly

    Name: W32/Bugbear-A
    Aliases: Tanat, Tanatos
    Type: Win32 worm
    Date: 30 September 2002


    Sophos has received several reports of this worm from the wild.

    Description
    W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts to spread via network shares. The worm copies itself to the Windows system folder as a file with a random four-letter name and an EXE extension and adds to the following registry entry to run this file on the next reboot:

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    W32/Bugbear-A also drops a copy of itself in the Windows start up folder so that is run on system restart.

    The worm drops a randomly-named DLL file, which is related to logging keystrokes, in the Windows system folder. It can also terminate certain firewall and antivirus programs.

    A more detailed analysis of W32/Bugbear-A will be published here shortly. Please check again later.



    More information about W32/Bugbear-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  3. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    More from Kaspersky'

    1. Tanatos - A Worm with a "Trojan" In Its Pocket
    A new multi-component virus gathers steam.

    Kaspersky Labs, an international data-security software developer,
    announces the detection of a new Internet worm called Tanatos, which is
    currently spreading via email and is busy hijacking confidential
    information from infected computers.

    Presently Kaspersky Labs has already received confirmation Tanatos
    infections in the UK.

    Tanatos is a Windows attachment about 50 KB in size (it is packed by the
    UPX compression utility) and written in Microsoft Visual C++. The worm
    is spreading via email attachment files with differing headings, body
    texts and file attachment names. After the worm arrives in the inbox of
    potential victims, Tanatos waits for its email message to be read (for
    example, in the preview window), once this occurs, by exploiting the
    "IFRAME" vulnerability in the Windows Explorer's security system, it
    secretly infects the machine. While infecting a victim computer the worm
    registers itself in the system registry auto-run key so that its
    malicious code will activate each time Windows is booted.

    Tanatos also sets a keyboard "bug" that records all keyboard actions to
    a specified file.

    The defense against Tanatos has already been added to the Kaspersky
    Anti-Virus databases. Please update your anti-virus software.

    More details covering the Tanatos Internet worm will soon be available
    in the Kaspersky Labs Anti-Virus Encyclopedia - http://www.viruslist.com.
     
  4. FanJ

    FanJ Guest

    Symantec:

    Detection is added for NAV in the virus-definitions of 30 Sept. 2002 (use Intelligent Updater to get them).

    http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html#threatassessment

    Note: due to the character @ in this link it is not possible to make this link easily clickable

    Quote:
    [hr]

    When W32.Bugbear@mm runs, it does the following,

    It copies itself as C:\%System%\F***.exe, where * represents letters chosen by the worm.

    NOTES: %system% is a variable. The worm locates the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

    It copies itself to the startup folder as C**.exe, where * represents letters chosen by the worm. For example,

    It may copy itself as C:\WINDOWS\Start Menu\Programs\Startup\CUU.EXE when runs in a Win9.X system;
    It may copy itself as C:\Documents and Settings\< current username>\Start Menu\Programs\Startup\CTI.EXE when runs in a Windows 2000/NT machine

    It creates the following files
    C:\%System%\iccyoa.dll
    C:\%System%\lgguqaa.dll
    C:\%System%\roomuaa.dll
    C:\%Windir%\okkqsa.dat
    C:\%Windir%\ussiwa.dat

    NOTES: %Windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and creates files to that location.

    It adds a value that refers to the worm file to the registry key
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    It kills the following processes if they are running in system,
    ZONEALARM.EXE
    WFINDV32.EXE
    WEBSCANX.EXE
    VSSTAT.EXE
    VSHWIN32.EXE
    VSECOMR.EXE
    VSCAN40.EXE
    VETTRAY.EXE
    VET95.EXE
    TDS2-NT.EXE
    TDS2-98.EXE
    TCA.EXE
    TBSCAN.EXE
    SWEEP95.EXE
    SPHINX.EXE
    SMC.EXE
    SERV95.EXE
    SCRSCAN.EXE
    SCANPM.EXE
    SCAN95.EXE
    SCAN32.EXE
    SAFEWEB.EXE
    RESCUE.EXE
    RAV7WIN.EXE
    RAV7.EXE
    PERSFW.EXE
    PCFWALLICON.EXE
    PCCWIN98.EXE
    PAVW.EXE
    PAVSCHED.EXE
    PAVCL.EXE
    PADMIN.EXE
    OUTPOST.EXE
    NVC95.EXE
    NUPGRADE.EXE
    NORMIST.EXE
    NMAIN.EXE
    NISUM.EXE
    NAVWNT.EXE
    NAVW32.EXE
    NAVNT.EXE
    NAVLU32.EXE
    NAVAPW32.EXE
    N32SCANW.EXE
    MPFTRAY.EXE
    MOOLIVE.EXE
    LUALL.EXE
    LOOKOUT.EXE
    LOCKDOWN2000.EXE
    JEDI.EXE
    IOMON98.EXE
    IFACE.EXE
    ICSUPPNT.EXE
    ICSUPP95.EXE
    ICMON.EXE
    ICLOADNT.EXE
    ICLOAD95.EXE
    IBMAVSP.EXE
    IBMASN.EXE
    IAMSERV.EXE
    IAMAPP.EXE
    FRW.EXE
    FPROT.EXE
    FP-WIN.EXE
    FINDVIRU.EXE
    F-STOPW.EXE
    F-PROT95.EXE
    F-PROT.EXE
    F-AGNT95.EXE
    ESPWATCH.EXE
    ESAFE.EXE
    ECENGINE.EXE
    DVP95_0.EXE
    DVP95.EXE
    CLEANER3.EXE
    CLEANER.EXE
    CLAW95CF.EXE
    CLAW95.EXE
    CFINET32.EXE
    CFINET.EXE
    CFIAUDIT.EXE
    CFIADMIN.EXE
    BLACKICE.EXE
    BLACKD.EXE
    AVWUPD32.EXE
    AVWIN95.EXE
    AVSCHED32.EXE
    AVPUPD.EXE
    AVPTC32.EXE
    AVPM.EXE
    AVPDOS32.EXE
    AVPCC.EXE
    AVP32.EXE
    AVP.EXE
    AVNT.EXE
    AVKSERV.EXE
    AVGCTRL.EXE
    AVE32.EXE
    AVCONSOL.EXE
    AUTODOWN.EXE
    APVXDWIN.EXE
    ANTI-TROJAN.EXE
    ACKWIN32.EXE
    _AVPM.EXE
    _AVPCC.EXE
    _AVP32.EXE

    It attempts to copy itself to the Startup folder of remote machines on the network as C**.EXE, where * represents letters chosen by the worm.

    It searches email addresses in current inbox and in the files with the following extensions
    MMF
    NCH
    MBX
    EML
    TBB
    DBX

    It then emails itself to all email addresses it finds.

    It opens a TCP port 36794 and allows the remote hacker to take control of the compromised computer.
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Looks like everyone has that puppy covered...Now let us hope it goes away just as fast. :(
     
  6. FanJ

    FanJ Guest

    Yep,

    Symantec released in the meantime a LiveUpdate for NAV (not happening very often on a monday).
     
  7. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    A friend in Brazil email has been compromised as I was sent this virus as a .pif attachment. NOD32 caught it.
     
  8. bardau

    bardau Registered Member

    Joined:
    Oct 3, 2002
    Posts:
    1
    I rec'd W32/Bugbear in an attachment from a person known to me. NOD32 caught it & I've informed the sender about it. So it's doing the rounds in Australia.
     
  9. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I think we are past the peak now. I'm not getting near the hits today I got yesterday.
    And whats really amazing is that it takes a user to clik an attachment for it to work, and the numbers are in the thousands.
    I wonder what its going to take to get the avg. user enlightened?
     
  10. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Had 3 hits tonight from it, an exe.pif attachment sent with the subject 'FW-Jokes' obviously Nod caught them all.
     
  11. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    It is very widespread in Australia ... we've received more than fifteen hundred Bugbear emails in the past two days ... some of them "from" us "to" us" ... and the phones have been running hot. (Apparently it was announced on the radio that NOD32 is the only antivirus program which is not attacked and disabled by Bugbear.)

    Chances are the person you informed about it wasn't the sender. Bugbear uses more sophisticated address spoofing than Klez, and will often combine text prior to the @ symbol in one address with text following the @ symbol from another address to create a non-existent "sender".
     
  12. CarolinaMoonshine

    CarolinaMoonshine Registered Member

    Joined:
    May 3, 2002
    Posts:
    91
    Ye Gads! My Norton just quaranteened Bugbear! Now what?
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    If you want to delete the file, just go to Norton's Quarantine, highlight the file, and click the Delete Item button. Then it'll be gone. :)

    If you want to recheck your system after doing that, running a full system scan can't hurt. It's good that NAV caught it and told you about it. You are probably perfectly fine and you'll feel better after you've killed that buggy bear. ;)

    LowWaterMark
     
  14. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    As LowWaterMark said, you are probably completely fine.

    I'm guessing it caught it in an e-mail, while the e-mail was downloading? (i.e. do you have NAV's e-mail scanning on?) If so, a Full Scan wouldn't hurt, but probably won't find anything.

    If, however, it caught it executing from the hard drive, or in memory, I would do a full system scan right away.

    -Javacool
     
  15. CarolinaMoonshine

    CarolinaMoonshine Registered Member

    Joined:
    May 3, 2002
    Posts:
    91
    Thanks Low and Java! Norton caught it on an incoming e-mail and quarteened it before it could even finish downloading. The file must have been huge, because even after quarantine I had to END TASK to get my e-mail to make any sense. I had something like 25 incoming e-mails listed, when in actuality it was only about 10!

    Can't thank you enough. Realize that I am so computer challenged and helpless!

    I have deleted it, and am now scanning my system!

    Thanks a bunch guys, you have decreased my anxiety significantly!
    :cool:
     
  16. CarolinaMoonshine

    CarolinaMoonshine Registered Member

    Joined:
    May 3, 2002
    Posts:
    91
    Thought you might like to know that the Bugbear was particularly persistent in trying to break through into my e-mail. Every time I would close e-mail, and re-open it, there was that dirty little cuss trying to get in!

    I will bet that I deleted him ten times!

    The title of the e-mail was something like "Give Me A Home"! :rolleyes:

    Yep, like he11! ;)

    Scanning system for about the third time! YIKES!
     
  17. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    There is a free Bugbear cleaner on http://www.nod32.com.au ... link on the front page.

    Unlike some other standalone cleaners, it works ... and it's not another virus. :)

    There is also a cleaner/immunizer for Opaserv
     
Thread Status:
Not open for further replies.