Bugbear.B Worm Virus Information and Removal Help

What is BugBear.B worm and How Did I Get It?
The Bugbear.B worm is a variant of original BugBear worm released in the fall of 2002. This worm is a a mass-mailing worm that also spreads through network shares. It will not only email to addresses found in the infected machine, but it will also terminate anti-virus software, install a keylogger program to potentially grab users passwords and other important info, and install a backdoor program to allow access to the machine from the outside world. The perfect opportunity for a hacker to invade a machine.

Its email messages contain an exploit that allows attachments to automatically execute when the messages are viewed or even previewed in Microsoft Outlook and Outlook Express. The vulnerability exploit affects systems with unpatched Internet Explorer 5.01 and 5.5. Microsoft has released a patch for this exploit, however many systems are still not updated. You can read more information about this exploit and patch by visiting the Microsoft security bulletin Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

The worm sends an email with the following characteristics:

Subject can be any of the following:

  • Hello!
  • update
  • hmm..
  • Payment notices
  • Just a reminder
  • Correction of errors
  • history screen
  • Announcement
  • various
  • Introduction
  • Interesting...
  • I need help about script!!!
  • Stats
  • Please Help...
  • Report
  • Membership Confirmation
  • Get a FREE gift!
  • Today Only
  • New Contests
  • Lost & Found
  • bad news
  • wow!
  • fantastic
  • click on this!
  • Market Update Report
  • empty account
  • My eBay ads
  • Cows
  • 25 merchants and rising
  • CALL FOR INFORMATION!
  • new reading
  • Sponsors needed
  • SCAM alert!!!
  • Warning!
  • its easy
  • free shipping!
  • News
  • Daily Email Reminder
  • Tools For Your Online Business
  • New bonus in your cash account
  • Your Gift
  • Re:
  • $150 FREE Bonus!
  • Your News Alert
  • Hi!
  • Get 8 FREE issues - no risk!
  • Greets!

Attachment:  the worm uses filenames in the My Documents folder location, which have one of the following extensions:

  • .reg
  • .ini
  • .bat
  • .diz
  • .txt
  • .cpp
  • .html
  • .htm
  • .jpeg
  • .jpg
  • .gif
  • .cpl
  • .dll
  • .vxd
  • .sys
  • .com
  • .exe
  • .bmp

The attachment contains a double file extension (such as Attachment.jpg.exe) using one of the following:

  • .scr
  • .pif
  • .exe

Also the filename can contain one of the following words:

  • readme
  • Setup
  • Card
  • Docs
  • news
  • image
  • images
  • pics
  • resume
  • photo
  • video
  • music
  • song
  • data

File infections of local and network drives

The worm can also infect the following programs on local and network drives:

  • scandskw.exe
  • regedit.exe
  • mplayer.exe
  • hh.exe
  • notepad.exe
  • winhelp.exe
  • Internet Explorer\iexplore.exe
  • adobe\acrobat 5.0\reader\acrord32.exe
  • WinRAR\WinRAR.exe
  • Windows Media Player\mplayer2.exe
  • Real\RealPlayer\realplay.exe
  • Outlook Express\msimn.exe
  • Far\Far.exe
  • CuteFTP\cutftp32.exe
  • Adobe\Acrobat 4.0\Reader\AcroRd32.exe
  • ACDSee32\ACDSee32.exe
  • MSN Messenger\msnmsgr.exe
  • WS_FTP\WS_FTP95.exe
  • QuickTime\QuickTimePlayer.exe
  • StreamCast\Morpheus\Morpheus.exe
  • Zone Labs\ZoneAlarm\ZoneAlarm.exe
  • Trillian\Trillian.exe
  • Lavasoft\Ad-aware 6\Ad-aware.exe
  • AIM95\aim.exe
  • Winamp\winamp.exe
  • DAP\DAP.exe
  • ICQ\Icq.exe
  • kazaa\kazaa.exe
  • winzip\winzip32.exe

The worm attempts to copy itself to networked shared drives and does not differentiate between shared drives or printers, so it will inadvertently copy itself as a printer job sending garbled data to network printers.

Keylogger

The worm drops a keylogger as a randomly named DLL in the \Windows\System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan (according to Symantec). The worm creates additional encrypted files in the Windows and \Windows\System folders with randomly named filenames, with the extensions .dll or .dat. These files store configuration information and encrypted keystrokes that the keylogger records.

Auto Dial

The worm contains over 1000 targeted bank domains, likely as an attempt to steal passwords more efficiently. If the worm determines the default email address of the computer belongs to one of these domains, it enables auto-dialing in the registry by setting the following registry key.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

"EnableAutodial"="0000001"

Antivirus and Security Program Termination

The worm attempts to terminate antivirus and security product programs that match the following names:

  • ZONEALARM.EXE
  • WFINDV32.EXE
  • WEBSCANX.EXE
  • VSSTAT.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • VSCAN40.EXE
  • VETTRAY.EXE
  • VET95.EXE
  • TDS2-NT.EXE
  • TDS2-98.EXE
  • TCA.EXE
  • TBSCAN.EXE
  • SWEEP95.EXE
  • SPHINX.EXE
  • SMC.EXE
  • SERV95.EXE
  • SCRSCAN.EXE
  • SCANPM.EXE
  • SCAN95.EXE
  • SCAN32.EXE
  • SAFEWEB.EXE
  • RESCUE.EXE
  • RAV7WIN.EXE
  • RAV7.EXE
  • PERSFW.EXE
  • PCFWALLICON.EXE
  • PCCWIN98.EXE
  • PAVW.EXE
  • PAVSCHED.EXE
  • PAVCL.EXE
  • PADMIN.EOUTPOST.EXE
  • NVC95.EXE
  • NUPGRADE.EXE
  • NORMIST.EXE
  • NMAIN.EXE
  • NISUM.EXE
  • NAVWNT.EXE
  • NAVW32.EXE
  • NAVNT.EXE
  • NAVLU32.EXE
  • NAVAPW32.EXE
  • N32SCANW.EXE
  • MPFTRAY.EXE
  • MOOLIVE.EXE
  • LUALL.EXE
  • LOOKOUT.EXE
  • LOCKDOWN2000.EXE
  • JEDI.EXE
  • IOMON98.EXE
  • IFACE.EXE
  • ICSUPPNT.EXE
  • ICSUPP95.EXE
  • ICMON.EXE
  • ICLOADNT.EXE
  • ICLOAD95.EXE
  • IBMAVSP.EXE
  • IBMASN.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • FRW.EXE
  • FPROT.EXE
  • FP-WIN.EXE
  • FINDVIRU.EXE
  • F-STOPW.EXE
  • F-PROT95.EXE
  • F-PROT.EXE
  • F-AGNT95.EXE
  • ESPWATCH.EXE
  • ESAFE.EXE
  • ECENGINE.EXE
  • DVP95_0.EXE
  • DVP95.EXE
  • CLEANER3.EXE
  • CLEANER.EXE
  • CLAW95CF.EXE
  • CLAW95.EXE
  • CFINET32.EXE
  • CFINET.EXE
  • CFIAUDIT.EXE
  • CFIADMIN.EXE
  • BLACKICE.EXE
  • BLACKD.EXE
  • AVWUPD32.EXE
  • AVWIN95.EXE
  • AVSCHED32.EXE
  • AVPUPD.EXE
  • AVPTC32.EXE
  • AVPM.EXE
  • AVPDOS32.EXE
  • AVPCC.EXE
  • AVP32.EXE
  • AVP.EXE
  • AVNT.EXE
  • AVKSERV.EXE
  • AVGCTRL.EXE
  • AVE32.EXE
  • AVCONSOL.EXE
  • AUTODOWN.EXE
  • APVXDWIN.EXE
  • ANTI-TROJAN.EXE
  • ACKWIN32.EXE
  • _AVPM.EXE
  • _AVPCC.EXE
  • _AVP32.EXE

Backdoor vulnerability

Lastly, the worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:

  • Delete files.
  • Terminate processes.
  • List processes and deliver the list to the hacker.
  • Copy files.
  • Start processes.
  • List files and deliver the list to the hacker.
  • Deliver intercepted keystrokes to the hacker in an encrypted form. This action could release confidential information typed on a computer (passwords, login details, and so on).
  • Deliver the system information to the worm's creator in the following form:
    • User: <user name>
    • Processor: <type of processor used>
    • Windows version: <Windows version, build number>
    • Memory information: <Memory available, and so on>
    • Local drives, their types (for example, fixed/removable/RAM disk/CD-ROM/remote), as well as their physical characteristics.
  • List the network resources and their types, and deliver the list to the worm's creator.

How to Clean/Delete the BugBear.B Worm?

Since Bugbear.B is a blended virus threat, I would not recommend trying any simple manual removal of this virus. Instead, either click on the following link to download an automatic removal tool from Symantec or following the directions below to update and run an antivirus check on your system.

For Automatic Removal of the BugBear.B worm, click on the following link

Symantec BugBear.B Automatic Removal Program

As an alternative to running the automatic removal tool, follow these steps to upgrade your antivirus software and run a thorough virus check of your system.

A good online virus scanner to use is Trend Micro's Housecall

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google