What is
BugBear.B worm and How Did I Get It?
The Bugbear.B worm is a variant of original
BugBear worm released in the fall of 2002. This worm is a a
mass-mailing worm that also spreads through network shares. It will not
only email to addresses found in the infected machine, but it will also
terminate anti-virus software, install a keylogger program to
potentially grab users passwords and other important info, and install
a backdoor program to allow access to the machine from the outside
world. The perfect opportunity for a hacker to invade a machine. |
|
Its email
messages contain an exploit that allows attachments to automatically
execute when the messages are viewed or even previewed in Microsoft
Outlook and Outlook Express. The vulnerability exploit affects systems
with unpatched Internet Explorer 5.01 and 5.5. Microsoft has released a
patch for this exploit, however many systems are still not updated. You
can read more information about this exploit and patch by visiting the
Microsoft security bulletin Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment.
The worm
sends an email with the following characteristics:
Subject can
be any of the following:
- Hello!
- update
- hmm..
- Payment
notices
- Just a
reminder
- Correction
of errors
- history
screen
- Announcement
- various
- Introduction
- Interesting...
- I need
help about script!!!
- Stats
- Please
Help...
- Report
- Membership
Confirmation
- Get a
FREE gift!
- Today
Only
- New
Contests
- Lost
& Found
- bad news
- wow!
- fantastic
- click on
this!
- Market
Update Report
- empty
account
- My eBay
ads
- Cows
- 25
merchants and rising
- CALL FOR
INFORMATION!
- new
reading
- Sponsors
needed
- SCAM
alert!!!
- Warning!
- its easy
- free
shipping!
- News
- Daily
Email Reminder
- Tools
For Your Online Business
- New
bonus in your cash account
- Your
Gift
- Re:
- $150
FREE Bonus!
- Your
News Alert
- Hi!
- Get 8
FREE issues - no risk!
- Greets!
Attachment:
the worm uses filenames in the My Documents folder location, which have
one of the following extensions:
- .reg
- .ini
- .bat
- .diz
- .txt
- .cpp
- .html
- .htm
- .jpeg
- .jpg
- .gif
- .cpl
- .dll
- .vxd
- .sys
- .com
- .exe
- .bmp
The
attachment contains a double file extension (such as
Attachment.jpg.exe) using one of the following:
Also the
filename can contain one of the following words:
- readme
- Setup
- Card
- Docs
- news
- image
- images
- pics
- resume
- photo
- video
- music
- song
- data
File
infections of local and network drives
The worm
can also infect the following programs on local and network drives:
- scandskw.exe
- regedit.exe
- mplayer.exe
- hh.exe
- notepad.exe
- winhelp.exe
- Internet
Explorer\iexplore.exe
- adobe\acrobat
5.0\reader\acrord32.exe
- WinRAR\WinRAR.exe
- Windows
Media Player\mplayer2.exe
- Real\RealPlayer\realplay.exe
- Outlook
Express\msimn.exe
- Far\Far.exe
- CuteFTP\cutftp32.exe
- Adobe\Acrobat
4.0\Reader\AcroRd32.exe
- ACDSee32\ACDSee32.exe
- MSN
Messenger\msnmsgr.exe
- WS_FTP\WS_FTP95.exe
- QuickTime\QuickTimePlayer.exe
- StreamCast\Morpheus\Morpheus.exe
- Zone
Labs\ZoneAlarm\ZoneAlarm.exe
- Trillian\Trillian.exe
- Lavasoft\Ad-aware
6\Ad-aware.exe
- AIM95\aim.exe
- Winamp\winamp.exe
- DAP\DAP.exe
- ICQ\Icq.exe
- kazaa\kazaa.exe
- winzip\winzip32.exe
The worm
attempts to copy itself to networked shared drives and does not
differentiate between shared drives or printers, so it will
inadvertently copy itself as a printer job sending garbled data to
network printers.
Keylogger
The worm
drops a keylogger as a randomly named DLL in the \Windows\System
folder. The file is 5,632 bytes in size and is detected as
PWS.Hooker.Trojan (according to Symantec). The worm creates additional
encrypted files in the Windows and \Windows\System folders with
randomly named filenames, with the extensions .dll or .dat. These files
store configuration information and encrypted keystrokes that the
keylogger records.
Auto
Dial
The worm
contains over 1000 targeted bank domains, likely as an attempt to steal
passwords more efficiently. If the worm determines the default email
address of the computer belongs to one of these domains, it enables
auto-dialing in the registry by setting the following registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
"EnableAutodial"="0000001"
Antivirus
and Security Program Termination
The worm
attempts to terminate antivirus and security product programs that
match the following names:
- ZONEALARM.EXE
- WFINDV32.EXE
- WEBSCANX.EXE
- VSSTAT.EXE
- VSHWIN32.EXE
- VSECOMR.EXE
- VSCAN40.EXE
- VETTRAY.EXE
- VET95.EXE
- TDS2-NT.EXE
- TDS2-98.EXE
- TCA.EXE
- TBSCAN.EXE
- SWEEP95.EXE
- SPHINX.EXE
- SMC.EXE
- SERV95.EXE
- SCRSCAN.EXE
- SCANPM.EXE
- SCAN95.EXE
- SCAN32.EXE
- SAFEWEB.EXE
- RESCUE.EXE
- RAV7WIN.EXE
- RAV7.EXE
- PERSFW.EXE
- PCFWALLICON.EXE
- PCCWIN98.EXE
- PAVW.EXE
- PAVSCHED.EXE
- PAVCL.EXE
- PADMIN.EOUTPOST.EXE
- NVC95.EXE
- NUPGRADE.EXE
- NORMIST.EXE
- NMAIN.EXE
- NISUM.EXE
- NAVWNT.EXE
- NAVW32.EXE
- NAVNT.EXE
- NAVLU32.EXE
- NAVAPW32.EXE
- N32SCANW.EXE
- MPFTRAY.EXE
- MOOLIVE.EXE
- LUALL.EXE
- LOOKOUT.EXE
- LOCKDOWN2000.EXE
- JEDI.EXE
- IOMON98.EXE
- IFACE.EXE
- ICSUPPNT.EXE
- ICSUPP95.EXE
- ICMON.EXE
- ICLOADNT.EXE
- ICLOAD95.EXE
- IBMAVSP.EXE
- IBMASN.EXE
- IAMSERV.EXE
- IAMAPP.EXE
- FRW.EXE
- FPROT.EXE
- FP-WIN.EXE
- FINDVIRU.EXE
- F-STOPW.EXE
- F-PROT95.EXE
- F-PROT.EXE
- F-AGNT95.EXE
- ESPWATCH.EXE
- ESAFE.EXE
- ECENGINE.EXE
- DVP95_0.EXE
- DVP95.EXE
- CLEANER3.EXE
- CLEANER.EXE
- CLAW95CF.EXE
- CLAW95.EXE
- CFINET32.EXE
- CFINET.EXE
- CFIAUDIT.EXE
- CFIADMIN.EXE
- BLACKICE.EXE
- BLACKD.EXE
- AVWUPD32.EXE
- AVWIN95.EXE
- AVSCHED32.EXE
- AVPUPD.EXE
- AVPTC32.EXE
- AVPM.EXE
- AVPDOS32.EXE
- AVPCC.EXE
- AVP32.EXE
- AVP.EXE
- AVNT.EXE
- AVKSERV.EXE
- AVGCTRL.EXE
- AVE32.EXE
- AVCONSOL.EXE
- AUTODOWN.EXE
- APVXDWIN.EXE
- ANTI-TROJAN.EXE
- ACKWIN32.EXE
- _AVPM.EXE
- _AVPCC.EXE
- _AVP32.EXE
Backdoor
vulnerability
Lastly, the
worm also opens a listening port on port 1080. A hacker can connect to
this port and perform the following actions:
- Delete
files.
- Terminate
processes.
- List
processes and deliver the list to the hacker.
- Copy
files.
- Start
processes.
- List
files and deliver the list to the hacker.
- Deliver
intercepted keystrokes to the hacker in an encrypted form. This action
could release confidential information typed on a computer (passwords,
login details, and so on).
- Deliver
the system information to the worm's creator in the following form:
- User:
<user name>
- Processor:
<type of processor used>
- Windows
version: <Windows version, build number>
- Memory
information: <Memory available, and so on>
- Local
drives, their types (for example, fixed/removable/RAM
disk/CD-ROM/remote), as well as their physical characteristics.
- List the
network resources and their types, and deliver the list to the worm's
creator.
How
to Clean/Delete the BugBear.B Worm?
Since
Bugbear.B is a blended virus threat, I would not recommend trying any
simple manual removal of this virus. Instead, either click on the
following link to download an automatic removal tool from Symantec or
following the directions below to update and run an antivirus check on
your system.
For
Automatic Removal of the BugBear.B worm, click on the following link
Symantec BugBear.B Automatic Removal Program
As
an alternative to running the automatic removal tool, follow these
steps to upgrade your antivirus software and run a thorough virus check
of your system.
A good
online virus scanner to use is Trend Micro's Housecall
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|