new virus

Discussion in 'Backup and Security' started by Free Thinker, Jun 6, 2003.

  1. FYI,
    Below is some information about a new form of the Bugbear virus that was discovered today.
    This virus has spread to 115 Countries in just a few hours.
    We have measures in place that should not let this virus affect us. However there is always the chance of getting it at home and spreading it to others. Please read and use caution.

    W32.Bugbear.B@mm
    Discovered on: June 05, 2003
    Last Updated on: June 05, 2003 06:30:27 AM

    W32.Bugbear.B@mm is a variant of W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads through network shares. The worm is polymorphic and also infects a select list of executable files. The worm has keystroke-logging and backdoor capabilities and also attempts to terminate the processes of various antivirus and firewall programs.

    The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm simply when reading or previewing an infected message.

    Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

    Due to the number of submissions received from customers, Symantec Security Response is upgrading this threat to a Category 3 from a Category 2 threat.

    Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee]
    Type: Virus, Worm
    Infection Length: 72,192
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

    Beta Virus Definitions
    June 05, 2003

    Virus Definitions (Intelligent Updater) *
    June 05, 2003

    Virus Definitions (LiveUpdate(tm)) **
    June 05, 2003

    *
    Intelligent Updater virus definitions are released daily, but require manual download and installation.
    Click here to download manually.

    **
    LiveUpdate virus definitions are usually released every Wednesday.
    Click here for instructions on using LiveUpdate.

    Wild:

    Number of infections: 50 - 999
    Number of sites: 0 - 2
    Geographical distribution: Medium
    Threat containment: Easy
    Removal: Easy
    Threat Metrics

    Wild:
    Medium
    Damage:
    Low
    Distribution:
    High

    When W32.Bugbear@mm runs, it copies itself to the \Startup folder as ???.exe, where ? represents letters that are chosen by the worm. For example:

    It may copy itself as C:\Windows\Start Menu\Programs\Startup\Cuu.exe when it runs on a Windows 95/98/Me-based system
    It may copy itself as C:\Documents and Settings\<current user name>\Start Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based system.

    Mass Mailing Routine
    The worm mass-mails itself to email addresses found on the system. It searches for email addresses in the current inbox and in files that have these extensions:
    .mmf
    .nch
    .mbx
    .eml
    .tbb
    .dbx
    .ocs

    It retrieves the current user's email address and SMTP server from the registry key

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts

    It then uses its own SMTP engine to send itself to all email addresses that it finds spoofing the From: address.

    The worm can reply or forward an existing message or create a new message with one of the following subject lines:
    Hello!
    update
    hmm..
    Payment notices
    Just a reminder
    Correction of errors
    history screen
    Announcement
    various
    Introduction
    Interesting...
    I need help about script!!!
    Stats
    Please Help...
    Report
    Membership Confirmation
    Get a FREE gift!
    Today Only
    New Contests
    Lost & Found
    bad news
    wow!
    fantastic
    click on this!
    Market Update Report
    empty account
    My eBay ads
    Cows
    25 merchants and rising
    CALL FOR INFORMATION!
    new reading
    Sponsors needed
    SCAM alert!!!
    Warning!
    its easy
    free shipping!
    News
    Daily Email Reminder
    Tools For Your Online Business
    New bonus in your cash account
    Your Gift
    Re:
    $150 FREE Bonus!
    Your News Alert
    Hi!
    Get 8 FREE issues - no risk!
    Greets!

    For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following the extensions:
    .reg
    .ini
    .bat
    .diz
    .txt
    .cpp
    .html
    .htm
    .jpeg
    .jpg
    .gif
    .cpl
    .dll
    .vxd
    .sys
    .com
    .exe
    .bmp

    The filename is then concatted with one of the following extensions:
    .scr
    .pif
    .exe

    In addition, the filename can consist of one of the following words:
    readme
    Setup
    Card
    Docs
    news
    image
    images
    pics
    resume
    photo
    video
    music
    song
    data

    The content type of the message is matched to the filetype and can be one of the following:
    text/html
    text/plain
    application/octet-stream
    image/jpeg
    image/gif

    Finally, the email message can be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically execute on a vulnerable system.

    Local And Network File Infection
    The worm will also infect files found on local and network shares that match the following filenames. The worm simply appends itself and is polymorphic.
    scandskw.exe
    regedit.exe
    mplayer.exe
    hh.exe
    notepad.exe
    winhelp.exe
    Internet Explorer\iexplore.exe
    adobe\acrobat 5.0\reader\acrord32.exe
    WinRAR\WinRAR.exe
    Windows Media Player\mplayer2.exe
    Real\RealPlayer\realplay.exe
    Outlook Express\msimn.exe
    Far\Far.exe
    CuteFTP\cutftp32.exe
    Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    ACDSee32\ACDSee32.exe
    MSN Messenger\msnmsgr.exe
    WS_FTP\WS_FTP95.exe
    QuickTime\QuickTimePlayer.exe
    StreamCast\Morpheus\Morpheus.exe
    Zone Labs\ZoneAlarm\ZoneAlarm.exe
    Trillian\Trillian.exe
    Lavasoft\Ad-aware 6\Ad-aware.exe
    AIM95\aim.exe
    Winamp\winamp.exe
    DAP\DAP.exe
    ICQ\Icq.exe
    kazaa\kazaa.exe
    winzip\winzip32.exe

    Network Share Infection
    The worm enumerates all network shares and computers and attempts to copy itself to those shares. In addition, the worm attempts to copy itself to the Windows Startup folder located on remote systems.

    The worm does not differentiate between computers and printers. Thus, the worm will inadvertently attempt to queue itself as a print job on network shared printers.

    Keylogger
    The worm drops a keylogger as a randomly named DLL in the Windows System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan. The worm creates additional encrypted files in the Windows and Windows System folder with randomly named filenames with the extensions .DLL or .DAT. These files store configuration information and encrypted keystrokes recorded by the keylogger.

    These data files are not malicious and may be deleted.

    Process Termination
    The worm attempts to terminate security product processes that match the following names:
    ZONEALARM.EXE
    WFINDV32.EXE
    WEBSCANX.EXE
    VSSTAT.EXE
    VSHWIN32.EXE
    VSECOMR.EXE
    VSCAN40.EXE
    VETTRAY.EXE
    VET95.EXE
    TDS2-NT.EXE
    TDS2-98.EXE
    TCA.EXE
    TBSCAN.EXE
    SWEEP95.EXE
    SPHINX.EXE
    SMC.EXE
    SERV95.EXE
    SCRSCAN.EXE
    SCANPM.EXE
    SCAN95.EXE
    SCAN32.EXE
    SAFEWEB.EXE
    RESCUE.EXE
    RAV7WIN.EXE
    RAV7.EXE
    PERSFW.EXE
    PCFWALLICON.EXE
    PCCWIN98.EXE
    PAVW.EXE
    PAVSCHED.EXE
    PAVCL.EXE
    PADMIN.EOUTPOST.EXE
    NVC95.EXE
    NUPGRADE.EXE
    NORMIST.EXE
    NMAIN.EXE
    NISUM.EXE
    NAVWNT.EXE
    NAVW32.EXE
    NAVNT.EXE
    NAVLU32.EXE
    NAVAPW32.EXE
    N32SCANW.EXE
    MPFTRAY.EXE
    MOOLIVE.EXE
    LUALL.EXE
    LOOKOUT.EXE
    LOCKDOWN2000.EXE
    JEDI.EXE
    IOMON98.EXE
    IFACE.EXE
    ICSUPPNT.EXE
    ICSUPP95.EXE
    ICMON.EXE
    ICLOADNT.EXE
    ICLOAD95.EXE
    IBMAVSP.EXE
    IBMASN.EXE
    IAMSERV.EXE
    IAMAPP.EXE
    FRW.EXE
    FPROT.EXE
    FP-WIN.EXE
    FINDVIRU.EXE
    F-STOPW.EXE
    F-PROT95.EXE
    F-PROT.EXE
    F-AGNT95.EXE
    ESPWATCH.EXE
    ESAFE.EXE
    ECENGINE.EXE
    DVP95_0.EXE
    DVP95.EXE
    CLEANER3.EXE
    CLEANER.EXE
    CLAW95CF.EXE
    CLAW95.EXE
    CFINET32.EXE
    CFINET.EXE
    CFIAUDIT.EXE
    CFIADMIN.EXE
    BLACKICE.EXE
    BLACKD.EXE
    AVWUPD32.EXE
    AVWIN95.EXE
    AVSCHED32.EXE
    AVPUPD.EXE
    AVPTC32.EXE
    AVPM.EXE
    AVPDOS32.EXE
    AVPCC.EXE
    AVP32.EXE
    AVP.EXE
    AVNT.EXE
    AVKSERV.EXE
    AVGCTRL.EXE
    AVE32.EXE
    AVCONSOL.EXE
    AUTODOWN.EXE
    APVXDWIN.EXE
    ANTI-TROJAN.EXE
    ACKWIN32.EXE
    _AVPM.EXE
    _AVPCC.EXE
    _AVP32.EXE


    Backdoor Routine
    The worm also opens a listening port on port 1080. A hacker can connect to this port and perform the following actions:
    Delete files.
    Terminate processes.
    List processes and deliver the list to the hacker.
    Copy files.
    Start processes.
    List files and deliver the list to the hacker.
    Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
    Deliver the system information to the hacker in the following form:
    User: <user name>
    Processor: <type of processor used>
    Windows version: <Windows version, build number>
    Memory information: <Memory available, etc.>
    Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics
    List network resources and their types, and deliver the list to the hacker.
     
  2. TGregg

    TGregg

  3. Sometimes I wonder if these viruses are not created by Anti virus software companies. Because seriously who would spend their time creating viruses? if not out of hope to be hired by one of those companies...
     
  4. If we don't open any e-mail attachments, are our computers safe from getting the virus?
     
  5. bobcathy1

    bobcathy1 Guest

    Yes, I got a really nasty one this morning in the mail.
    Followed my protocol and knocked it out before it got a chance to
    spread. I hope it does not show later and I have to wipe and
    reload my system and programs.
    :mad: :mad:
     

  6. So, your computer can still get a virus even if you don't open the attachment??
     
  7. bobcathy1

    bobcathy1 Guest

    Yes, do not open your mail at all, go on the web to read it at your "vacation email" site.:( Just do not use Outlook express to download your email to your computer.

    Though some viruses come from websites. Got to have an up to date virus program. I do.
     

  8. Thanks
     
  9. One more question???

    If we use web-based e-mail, like our "vacation e-mail site", Yahoo or MSN Hotmail.

    Is it still possible to get a computer virus?

    Thanks
     
  10. CalTrader

    CalTrader Guest

    Unpatched web email systems as well as IE client software also presents a vulnerability. If your company or provider has a properly configured email server - which rejects certain attachments and is current with updates - and you have a current browser then your should be ok. Otherwise if you get spam in your inbox I would follow the advice and wait until the admin says the configurations etc are clean ....

    Fortunately our systems are all properly configured so this was a no issue virus.

    FYI: part of the vulnerability that allows this virus is over two years old. That is nearly two years ago the patch was available that would partly negate the actiuon of this virus.....
     
    #10     Jun 6, 2003