New "Bugbear" virus

[Executioner]

I found this on another site that I visit on a regular basis, and it was mentioned at work by one of our network guys, so I figured I'd let you guys know also.

Analysis:

W32/Bugbear-A is a network-aware worm. W32/Bugbear-A spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of Bugbear's executable code. This usually results in many wasted pages.

The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

If the worm activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the virus. You will find:

xxx.EXE (usually 50688 bytes) in the Startup folder

yyyy.EXE (usually 50688 bytes) in the System folder

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The two EXE files are executable copies of the worm. The DLL is a keystroke logging tool which is used by the worm when it is activated.

The worm not only adds itself to the Startup folder, but also adds an entry to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This means that the worm will be reactivated when your computer is rebooted.

The worm spreads itself via email. The emails have no body text but have the following subject lines:

Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!

Attachments can have the same filename as another file on the victim's computer but they may contain the following strings:

Readme
Setup
Card
Docs
News
Image
Images
Pics
Resume
Photo
Video
Music
Song
Data

The attachements have double extensions with the final extension being EXE,
SCR or PIF.

W32/Bugbear-A has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

W32/Bugbear-A also opens port 36794 and sends a notification email via SMTP to an external address which contains confidential information about the victim's computer such as username and password.

The worm may also attempt to determine the presence of an Apache 1.3.26 web server and relay this information to an external email address.

To protect yourself, please use anti-virus software, or use
MailWasher that allows you to screen your emails before they are downloaded to your pc.

[wvjohn]

more here

http://www.internetnews.com/dev-news/ar ... hp/1473351

[Pugsley]

dont know if this had to do with F@H or not... but i had this thing that was sending info up the pipe. It was xxxxxx.dll and was running under me. i do not know what it was or what it was doing but it isnt doing it any more.

[Tomuchtime]

i just had a anti-viri go off on an e-mail
but I didn't think to catch the headers ect.. before deleting it.It was in a quarintine and I think I ckeaned that out.
I'm sure we'll be seeing a lot of this for awhile.Somewhere it was posted that the bug in general failed in it's intended
goal but it's still gonna be a pain in the ass.
I'm not too well versed in this stuff but I think it's a vb bug.

[CaterpillarAssassin]

i dont know how i got by before with no antivirus software. That was on my old machine (the ICS server) My lappy came with norton and i swear its gone off 10 times in the past 2 days for emails infected with the Klez.H virus. My other machine muct be infected out the ass. Oh well. I cant even look at the screen on that its so blurry compared to the LCD here. Thats what pcAnywhere is for!

[Executioner]

^to the top^, as I've seen more of this virus being mentioned. Your best defense is to use MailWasher so you can preview your emails at the server, not on your rig.