Win32.BugBear.C@mm( BugBear.C )
SYMPTOMS: Programs run very slowly; some antivirus programs stop working.TECHNICAL DESCRIPTION: When it is run for the first time, the worm drops a copy in the %SYSTEM% folder (using a random name) and programs it to execute everytime the system is started, by using the HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key, then it modifies the \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutodial\" key, so that the default dial-up Internet connection is made automatically at system startup. Then, the worm puts three files in the %SYSTEM% folder; one of them is the DLL hook (detected by BitDefender as Trojan.Keylogger.Bugbear.B), the other two are used to collect data about the infected computer.The worm also includes anti-antivirus technologies. It attempts to terminate antivirus and firewall processes, using the Terminate Process API. Processes are enumerated in two different ways, each corresponding to a major Win32 platform. Toolhelp32 functions are used whenever possible, otherwise psapi functions are used. The worm attempts to terminate any process that contains one of these strings: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE FINDVIRU.EXE FPROT.EXE F-PROT.EXE F-PROT95.EXE FP-WIN.EXE FRW.EXE F-STOPW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXE Then, the worm looks for e-mail addresses in the IE cache directory and in several mail databases and tries to send itself to the addresses collected, using its own SMTP engine. The worm has a rather big dictionary, so that the messages it produces are quite varied and very realistical. Removal instructions: Let BitDefender erase infected filesANALYZED BY: Mihai ChiriacBitDefender Virus Researcher |
