| The Bugbear.B worm is a variant of original BugBear worm released in the fall of 2002. This worm is a a mass-mailing worm that also spreads through network shares. It will not only email to addresses found in the infected machine, but it will also terminate anti-virus software, install a keylogger program to potentially grab users passwords and other important info, and install a backdoor program to allow access to the machine from the outside world. The perfect opportunity for a hacker to invade a machine. |
Its email messages contain an exploit that allows attachments to automatically execute when the messages are viewed or even previewed in Microsoft Outlook and Outlook Express. The vulnerability exploit affects systems with unpatched Internet Explorer 5.01 and 5.5. Microsoft has released a patch for this exploit, however many systems are still not updated. You can read more information about this exploit and patch by visiting the Microsoft security bulletin Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.
The worm sends an email with the following characteristics:
Subject can be any of the following:
- Hello!
- update
- hmm..
- Payment notices
- Just a reminder
- Correction of errors
- history screen
- Announcement
- various
- Introduction
- Interesting...
- I need help about script!!!
- Stats
- Please Help...
- Report
- Membership Confirmation
- Get a FREE gift!
- Today Only
- New Contests
- Lost & Found
- bad news
- wow!
- fantastic
- click on this!
- Market Update Report
- empty account
- My eBay ads
- Cows
- 25 merchants and rising
- CALL FOR INFORMATION!
- new reading
- Sponsors needed
- SCAM alert!!!
- Warning!
- its easy
- free shipping!
- News
- Daily Email Reminder
- Tools For Your Online Business
- New bonus in your cash account
- Your Gift
- Re:
- $150 FREE Bonus!
- Your News Alert
- Hi!
- Get 8 FREE issues - no risk!
- Greets!
Attachment: the worm uses filenames in the My Documents folder location, which have one of the following extensions:
- .reg
- .ini
- .bat
- .diz
- .txt
- .cpp
- .html
- .htm
- .jpeg
- .jpg
- .gif
- .cpl
- .dll
- .vxd
- .sys
- .com
- .exe
- .bmp
The attachment contains a double file extension (such as Attachment.jpg.exe) using one of the following:
- .scr
- .pif
- .exe
Also the filename can contain one of the following words:
- readme
- Setup
- Card
- Docs
- news
- image
- images
- pics
- resume
- photo
- video
- music
- song
- data
File infections of local and network drives
The worm can also infect the following programs on local and network drives:
- scandskw.exe
- regedit.exe
- mplayer.exe
- hh.exe
- notepad.exe
- winhelp.exe
- Internet Explorer\iexplore.exe
- adobe\acrobat 5.0\reader\acrord32.exe
- WinRAR\WinRAR.exe
- Windows Media Player\mplayer2.exe
- Real\RealPlayer\realplay.exe
- Outlook Express\msimn.exe
- Far\Far.exe
- CuteFTP\cutftp32.exe
- Adobe\Acrobat 4.0\Reader\AcroRd32.exe
- ACDSee32\ACDSee32.exe
- MSN Messenger\msnmsgr.exe
- WS_FTP\WS_FTP95.exe
- QuickTime\QuickTimePlayer.exe
- StreamCast\Morpheus\Morpheus.exe
- Zone Labs\ZoneAlarm\ZoneAlarm.exe
- Trillian\Trillian.exe
- Lavasoft\Ad-aware 6\Ad-aware.exe
- AIM95\aim.exe
- Winamp\winamp.exe
- DAP\DAP.exe
- ICQ\Icq.exe
- kazaa\kazaa.exe
- winzip\winzip32.exe
The worm attempts to copy itself to networked shared drives and does not differentiate between shared drives or printers, so it will inadvertently copy itself as a printer job sending garbled data to network printers.
Keylogger
The worm
drops a keylogger as a randomly named DLL in the \Windows\System
folder. The file is 5,632 bytes in size and is detected as
PWS.Hooker.Trojan (according to Symantec). The worm creates additional
encrypted files in the Windows and \Windows\System folders with
randomly named filenames, with the extensions .dll or .dat. These files
store configuration information and encrypted keystrokes that the
keylogger records.
Auto
Dial
The worm contains over 1000 targeted bank domains, likely as an attempt to steal passwords more efficiently. If the worm determines the default email address of the computer belongs to one of these domains, it enables auto-dialing in the registry by setting the following registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"EnableAutodial"="0000001"
Antivirus and Security Program Termination
The worm attempts to terminate antivirus and security product programs that match the following names:
- ZONEALARM.EXE
- WFINDV32.EXE
- WEBSCANX.EXE
- VSSTAT.EXE
- VSHWIN32.EXE
- VSECOMR.EXE
- VSCAN40.EXE
- VETTRAY.EXE
- VET95.EXE
- TDS2-NT.EXE
- TDS2-98.EXE
- TCA.EXE
- TBSCAN.EXE
- SWEEP95.EXE
- SPHINX.EXE
- SMC.EXE
- SERV95.EXE
- SCRSCAN.EXE
- SCANPM.EXE
- SCAN95.EXE
- SCAN32.EXE
- SAFEWEB.EXE
- RESCUE.EXE
- RAV7WIN.EXE
- RAV7.EXE
- PERSFW.EXE
- PCFWALLICON.EXE
- PCCWIN98.EXE
- PAVW.EXE
- PAVSCHED.EXE
- PAVCL.EXE
- PADMIN.EOUTPOST.EXE
- NVC95.EXE
- NUPGRADE.EXE
- NORMIST.EXE
- NMAIN.EXE
- NISUM.EXE
- NAVWNT.EXE
- NAVW32.EXE
- NAVNT.EXE
- NAVLU32.EXE
- NAVAPW32.EXE
- N32SCANW.EXE
- MPFTRAY.EXE
- MOOLIVE.EXE
- LUALL.EXE
- LOOKOUT.EXE
- LOCKDOWN2000.EXE
- JEDI.EXE
- IOMON98.EXE
- IFACE.EXE
- ICSUPPNT.EXE
- ICSUPP95.EXE
- ICMON.EXE
- ICLOADNT.EXE
- ICLOAD95.EXE
- IBMAVSP.EXE
- IBMASN.EXE
- IAMSERV.EXE
- IAMAPP.EXE
- FRW.EXE
- FPROT.EXE
- FP-WIN.EXE
- FINDVIRU.EXE
- F-STOPW.EXE
- F-PROT95.EXE
- F-PROT.EXE
- F-AGNT95.EXE
- ESPWATCH.EXE
- ESAFE.EXE
- ECENGINE.EXE
- DVP95_0.EXE
- DVP95.EXE
- CLEANER3.EXE
- CLEANER.EXE
- CLAW95CF.EXE
- CLAW95.EXE
- CFINET32.EXE
- CFINET.EXE
- CFIAUDIT.EXE
- CFIADMIN.EXE
- BLACKICE.EXE
- BLACKD.EXE
- AVWUPD32.EXE
- AVWIN95.EXE
- AVSCHED32.EXE
- AVPUPD.EXE
- AVPTC32.EXE
- AVPM.EXE
- AVPDOS32.EXE
- AVPCC.EXE
- AVP32.EXE
- AVP.EXE
- AVNT.EXE
- AVKSERV.EXE
- AVGCTRL.EXE
- AVE32.EXE
- AVCONSOL.EXE
- AUTODOWN.EXE
- APVXDWIN.EXE
- ANTI-TROJAN.EXE
- ACKWIN32.EXE
- _AVPM.EXE
- _AVPCC.EXE
- _AVP32.EXE
Backdoor vulnerability
Lastly, the worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
- Delete files.
- Terminate processes.
- List processes and deliver the list to the hacker.
- Copy files.
- Start processes.
- List files and deliver the list to the hacker.
- Deliver intercepted keystrokes to the hacker in an encrypted form. This action could release confidential information typed on a computer (passwords, login details, and so on).
- Deliver
the system information to the worm's creator in the following form:
- User: <user name>
- Processor: <type of processor used>
- Windows version: <Windows version, build number>
- Memory information: <Memory available, and so on>
- Local drives, their types (for example, fixed/removable/RAM disk/CD-ROM/remote), as well as their physical characteristics.
- List the network resources and their types, and deliver the list to the worm's creator.
How to Clean/Delete the BugBear.B Worm?
Since Bugbear.B is a blended virus threat, I would not recommend trying any simple manual removal of this virus. Instead, either click on the following link to download an automatic removal tool from Symantec or following the directions below to update and run an antivirus check on your system.
For Automatic Removal of the BugBear.B worm, click on the following link
Symantec BugBear.B Automatic Removal Program
As an alternative to running the automatic removal tool, follow these steps to upgrade your antivirus software and run a thorough virus check of your system.
- Disable System Restore (Windows Me/XP).
- Connect to the Internet and Update the virus definitions.
- Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
- Run a full system scan and delete or repair all the files detected as W32.Bugbear.B@mm.
A good online virus scanner to use is Trend Micro's Housecall
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
