FYI, Below is some information about a new form of the Bugbear virus that was discovered today. This virus has spread to 115 Countries in just a few hours. We have measures in place that should not let this virus affect us. However there is always the chance of getting it at home and spreading it to others. Please read and use caution. W32.Bugbear.B@mm Discovered on: June 05, 2003 Last Updated on: June 05, 2003 06:30:27 AM W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs. The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm simply when reading or previewing an infected message. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. Due to the number of submissions received from customers, Symantec Security Response is upgrading this threat to a Category 3 from a Category 2 threat. Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee] Type: Virus, Worm Infection Length: 72,192 Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Beta Virus Definitions June 05, 2003 Virus Definitions (Intelligent Updater) * June 05, 2003 Virus Definitions (LiveUpdate(tm)) ** June 05, 2003 * Intelligent Updater virus definitions are released daily, but require manual download and installation. Click here to download manually. ** LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate. Wild: Number of infections: 50 - 999 Number of sites: 0 - 2 Geographical distribution: Medium Threat containment: Easy Removal: Easy Threat Metrics Wild: Medium Damage: Low Distribution: High When W32.Bugbear@mm runs, it copies itself to the \Startup folder as ???.exe, where ? represents letters that are chosen by the worm. For example: It may copy itself as C:\Windows\Start Menu\Programs\Startup\Cuu.exe when it runs on a Windows 95/98/Me-based system It may copy itself as C:\Documents and Settings\<current user name>\Start Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based system. Mass Mailing Routine The worm mass-mails itself to email addresses found on the system. It searches for email addresses in the current inbox and in files that have these extensions: .mmf .nch .mbx .eml .tbb .dbx .ocs It retrieves the current user's email address and SMTP server from the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts It then uses its own SMTP engine to send itself to all email addresses that it finds spoofing the From: address. The worm can reply or forward an existing message or create a new message with one of the following subject lines: Hello! update hmm.. Payment notices Just a reminder Correction of errors history screen Announcement various Introduction Interesting... I need help about script!!! Stats Please Help... Report Membership Confirmation Get a FREE gift! Today Only New Contests Lost & Found bad news wow! fantastic click on this! Market Update Report empty account My eBay ads Cows 25 merchants and rising CALL FOR INFORMATION! new reading Sponsors needed SCAM alert!!! Warning! its easy free shipping! News Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift Re: $150 FREE Bonus! Your News Alert Hi! Get 8 FREE issues - no risk! Greets! For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following the extensions: .reg .ini .bat .diz .txt .cpp .html .htm .jpeg .jpg .gif .cpl .dll .vxd .sys .com .exe .bmp The filename is then concatted with one of the following extensions: .scr .pif .exe In addition, the filename can consist of one of the following words: readme Setup Card Docs news image images pics resume photo video music song data The content type of the message is matched to the filetype and can be one of the following: text/html text/plain application/octet-stream image/jpeg image/gif Finally, the email message can be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically execute on a vulnerable system. Local And Network File Infection The worm will also infect files found on local and network shares that match the following filenames. The worm simply appends itself and is polymorphic. scandskw.exe regedit.exe mplayer.exe hh.exe notepad.exe winhelp.exe Internet Explorer\iexplore.exe adobe\acrobat 5.0\reader\acrord32.exe WinRAR\WinRAR.exe Windows Media Player\mplayer2.exe Real\RealPlayer\realplay.exe Outlook Express\msimn.exe Far\Far.exe CuteFTP\cutftp32.exe Adobe\Acrobat 4.0\Reader\AcroRd32.exe ACDSee32\ACDSee32.exe MSN Messenger\msnmsgr.exe WS_FTP\WS_FTP95.exe QuickTime\QuickTimePlayer.exe StreamCast\Morpheus\Morpheus.exe Zone Labs\ZoneAlarm\ZoneAlarm.exe Trillian\Trillian.exe Lavasoft\Ad-aware 6\Ad-aware.exe AIM95\aim.exe Winamp\winamp.exe DAP\DAP.exe ICQ\Icq.exe kazaa\kazaa.exe winzip\winzip32.exe Network Share Infection The worm enumerates all network shares and computers and attempts to copy itself to those shares. In addition, the worm attempts to copy itself to the Windows Startup folder located on remote systems. The worm does not differentiate between computers and printers. Thus, the worm will inadvertently attempt to queue itself as a print job on network shared printers. Keylogger The worm drops a keylogger as a randomly named DLL in the Windows System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan. The worm creates additional encrypted files in the Windows and Windows System folder with randomly named filenames with the extensions .DLL or .DAT. These files store configuration information and encrypted keystrokes recorded by the keylogger. These data files are not malicious and may be deleted. Process Termination The worm attempts to terminate security product processes that match the following names: ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EOUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE Backdoor Routine The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions: Delete files. Terminate processes. List processes and deliver the list to the hacker. Copy files. Start processes. List files and deliver the list to the hacker. Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on). Deliver the system information to the hacker in the following form: User: <user name> Processor: <type of processor used> Windows version: <Windows version, build number> Memory information: <Memory available, etc.> Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics List network resources and their types, and deliver the list to the hacker.