FYI,
Below is some information about a new form of the Bugbear virus that was discovered today.
This virus has spread to 115 Countries in just a few hours.
We have measures in place that should not let this virus affect us. However there is always the chance of getting it at home and spreading it to others. Please read and use caution.
W32.Bugbear.B@mm
Discovered on: June 05, 2003
Last Updated on: June 05, 2003 06:30:27 AM
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs.
The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm simply when reading or previewing an infected message.
Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.
Due to the number of submissions received from customers, Symantec Security Response is upgrading this threat to a Category 3 from a Category 2 threat.
Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee]
Type: Virus, Worm
Infection Length: 72,192
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Beta Virus Definitions
June 05, 2003
Virus Definitions (Intelligent Updater) *
June 05, 2003
Virus Definitions (LiveUpdate(tm)) **
June 05, 2003
*
Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: 50 - 999
Number of sites: 0 - 2
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Medium
Damage:
Low
Distribution:
High
When W32.Bugbear@mm runs, it copies itself to the \Startup folder as ???.exe, where ? represents letters that are chosen by the worm. For example:
It may copy itself as C:\Windows\Start Menu\Programs\Startup\Cuu.exe when it runs on a Windows 95/98/Me-based system
It may copy itself as C:\Documents and Settings\<current user name>\Start Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based system.
Mass Mailing Routine
The worm mass-mails itself to email addresses found on the system. It searches for email addresses in the current inbox and in files that have these extensions:
.mmf
.nch
.mbx
.eml
.tbb
.dbx
.ocs
It retrieves the current user's email address and SMTP server from the registry key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts
It then uses its own SMTP engine to send itself to all email addresses that it finds spoofing the From: address.
The worm can reply or forward an existing message or create a new message with one of the following subject lines:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!
For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following the extensions:
.reg
.ini
.bat
.diz
.txt
.cpp
.html
.htm
.jpeg
.jpg
.gif
.cpl
.dll
.vxd
.sys
.com
.exe
.bmp
The filename is then concatted with one of the following extensions:
.scr
.pif
.exe
In addition, the filename can consist of one of the following words:
readme
Setup
Card
Docs
news
image
images
pics
resume
photo
video
music
song
data
The content type of the message is matched to the filetype and can be one of the following:
text/html
text/plain
application/octet-stream
image/jpeg
image/gif
Finally, the email message can be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically execute on a vulnerable system.
Local And Network File Infection
The worm will also infect files found on local and network shares that match the following filenames. The worm simply appends itself and is polymorphic.
scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe
Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe
Network Share Infection
The worm enumerates all network shares and computers and attempts to copy itself to those shares. In addition, the worm attempts to copy itself to the Windows Startup folder located on remote systems.
The worm does not differentiate between computers and printers. Thus, the worm will inadvertently attempt to queue itself as a print job on network shared printers.
Keylogger
The worm drops a keylogger as a randomly named DLL in the Windows System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan. The worm creates additional encrypted files in the Windows and Windows System folder with randomly named filenames with the extensions .DLL or .DAT. These files store configuration information and encrypted keystrokes recorded by the keylogger.
These data files are not malicious and may be deleted.
Process Termination
The worm attempts to terminate security product processes that match the following names:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EOUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
Backdoor Routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
Delete files.
Terminate processes.
List processes and deliver the list to the hacker.
Copy files.
Start processes.
List files and deliver the list to the hacker.
Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
Deliver the system information to the hacker in the following form:
User: <user name>
Processor: <type of processor used>
Windows version: <Windows version, build number>
Memory information: <Memory available, etc.>
Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics
List network resources and their types, and deliver the list to the hacker.
Below is some information about a new form of the Bugbear virus that was discovered today.
This virus has spread to 115 Countries in just a few hours.
We have measures in place that should not let this virus affect us. However there is always the chance of getting it at home and spreading it to others. Please read and use caution.
W32.Bugbear.B@mm
Discovered on: June 05, 2003
Last Updated on: June 05, 2003 06:30:27 AM
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs.
The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm simply when reading or previewing an infected message.
Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.
Due to the number of submissions received from customers, Symantec Security Response is upgrading this threat to a Category 3 from a Category 2 threat.
Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee]
Type: Virus, Worm
Infection Length: 72,192
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Beta Virus Definitions
June 05, 2003
Virus Definitions (Intelligent Updater) *
June 05, 2003
Virus Definitions (LiveUpdate(tm)) **
June 05, 2003
*
Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: 50 - 999
Number of sites: 0 - 2
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Medium
Damage:
Low
Distribution:
High
When W32.Bugbear@mm runs, it copies itself to the \Startup folder as ???.exe, where ? represents letters that are chosen by the worm. For example:
It may copy itself as C:\Windows\Start Menu\Programs\Startup\Cuu.exe when it runs on a Windows 95/98/Me-based system
It may copy itself as C:\Documents and Settings\<current user name>\Start Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based system.
Mass Mailing Routine
The worm mass-mails itself to email addresses found on the system. It searches for email addresses in the current inbox and in files that have these extensions:
.mmf
.nch
.mbx
.eml
.tbb
.dbx
.ocs
It retrieves the current user's email address and SMTP server from the registry key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts
It then uses its own SMTP engine to send itself to all email addresses that it finds spoofing the From: address.
The worm can reply or forward an existing message or create a new message with one of the following subject lines:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!
For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following the extensions:
.reg
.ini
.bat
.diz
.txt
.cpp
.html
.htm
.jpeg
.jpg
.gif
.cpl
.dll
.vxd
.sys
.com
.exe
.bmp
The filename is then concatted with one of the following extensions:
.scr
.pif
.exe
In addition, the filename can consist of one of the following words:
readme
Setup
Card
Docs
news
image
images
pics
resume
photo
video
music
song
data
The content type of the message is matched to the filetype and can be one of the following:
text/html
text/plain
application/octet-stream
image/jpeg
image/gif
Finally, the email message can be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically execute on a vulnerable system.
Local And Network File Infection
The worm will also infect files found on local and network shares that match the following filenames. The worm simply appends itself and is polymorphic.
scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe
Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe
Network Share Infection
The worm enumerates all network shares and computers and attempts to copy itself to those shares. In addition, the worm attempts to copy itself to the Windows Startup folder located on remote systems.
The worm does not differentiate between computers and printers. Thus, the worm will inadvertently attempt to queue itself as a print job on network shared printers.
Keylogger
The worm drops a keylogger as a randomly named DLL in the Windows System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan. The worm creates additional encrypted files in the Windows and Windows System folder with randomly named filenames with the extensions .DLL or .DAT. These files store configuration information and encrypted keystrokes recorded by the keylogger.
These data files are not malicious and may be deleted.
Process Termination
The worm attempts to terminate security product processes that match the following names:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EOUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
Backdoor Routine
The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
Delete files.
Terminate processes.
List processes and deliver the list to the hacker.
Copy files.
Start processes.
List files and deliver the list to the hacker.
Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
Deliver the system information to the hacker in the following form:
User: <user name>
Processor: <type of processor used>
Windows version: <Windows version, build number>
Memory information: <Memory available, etc.>
Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics
List network resources and their types, and deliver the list to the hacker.
Just do not use Outlook express to download your email to your computer.