Win32.BugBear.D@mm

( I-Worm.Tanatos.e (KAV) )
Ausbreitung : medium
Schaden : medium
Size: 43 KB
Entdeckt : 2005 May 31

SYMPTOMS:

  • A fake WinZip dialog box with the following message:
    bad CRC 23bb8dea (should be 0be7841c).
  • Sudden termination of some antivirus or shield software programs.
  • Presence of the registry key:
    HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
    with a random value pointing to a file in Windows directory with a random name.

TECHNICAL DESCRIPTION:

Previously detected as Win32.BugBear.Gen@mm, the worm spreads like the former variants by mail in the following format:

Subject: one of the following:

  • Greets!
  • !!! WARNING !!!
  • Hi!
  • sexy
  • good news!
  • Re:
  • Your Gift
  • Sex pictures
  • I cannot forget you!
  • Fwd:
  • News
  • You are fat!
  • Love
  • Warning!
  • photo
  • Friendly
  • new reading
  • ;)
  • I love you!
  • Is that your password?
  • photos
  • empty account
  • Old photos
  • Me nude
  • fantastic
  • wow!
  • bad news
  • Lost & Found
  • New Contests
  • Today Only
  • [Fwd: look] ;-)
  • Greetings!
  • Report
  • Please Help...
  • Stats
  • I need photo!!!
  • Interesting...
  • Introduction
  • various
  • Announcement
  • history screen
  • look
  • Just a reminder
  • Payment notices
  • hmm..
  • update
  • Hello!

Body: one of the following:

  • Take a look to the attachment
  • See the attached file for more info
  • Please see Attachment
  • Pease open an attachment to see the message.
  • see attachment
  • See the attached file
  • please,read the attach file.

Attachment: A Zip archive or a file with a name taken from the infected computer or one of:

  • Readme.txt
  • Love.jpg
  • You.jpg
  • Myphoto.jpg
  • News.doc
  • Image.jpg
  • Message.txt
  • Pic.jpg
  • Girls.jpg
  • Photo.jpg
  • Video.avi
  • Music.mp3
  • Song.wav
  • A000032.jpg

followed by many spaces before the real SCR extension.

It copies itself with a random name: %random%.exe in the Windows System directory: %WINSYS%
It executes the copied file.
It displays a fake WinZip message box with the following text:
bad CRC 23bb8dea (should be 0be7841c).

The %WINSYS% copy does the following:

It adds the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%random%
With value:
%WINSYS%\\%random%.exe

It tries to register itself as a service (under Win9X machines)
It creates a .dat file for storing e-mail addresses.
It drops a key logger component in %WinSYS% folder with a random name and .dll extension. This component is detected as Trojan.KeyLogger.BugBear.B
It creates 2 files with dll extension and random name. In these files the worm keeps encrypted data gathered from the computer.
At every 20 seconds it search for and kills a list of antivirus and shield processes.
The worm registers the actions of the user. This information is then sent to an e-mail address.

It searches for e-mail addresses in all the files with the following extensions:

  • sht
  • txt
  • asp
  • htm
  • ods
  • inbox
  • mmf
  • nch
  • mbx
  • eml
  • tbb
  • dbx

And it send itself to all the e-mails it finds in the same format it arrives.

Removal instructions:

Let BitDefender delete all files found infected by this worm.

ANALYZED BY:

Sorin Victor Dudea
BitDefender Virus Researcher