Virus Profile: W32/Bugbear@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/30/2002
Date Added: 9/30/2002
Origin: Malaysia
Length: 50,688 bytes (UPXed)
or 50,664 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4226
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Port 36794 TCP open
  • Existence of the following files (* represents any character):
    • %WinDir%\System\****.EXE (50,688 or 50,684 bytes)
    • %WinDir%\******.DAT
    • %WinDir%\******.DAT
    • %WinDir%\System\******.DLL
    • %WinDir%\System\*******.DLL
    • %WinDir%\System\*******.DLL
  • Large Print jobs sent to network printers. The full printout caused by a copy of the worm in the printer queue can take about 500 pages. They are mostly blank with only one-two lines of random symbols on each page. The very first page starts with "MZ" followed by about 18 funny symbols and a string "=!This program cannot be run in DOS mode". Another visible printed string close to the beginning is "Rich5". This printing routine can cause many .tmp and .spl files in your print server spool directory.

Methods of Infection

This virus spreads over the network (via network shares) and by mailing itself (using it's own SMTP engine).

It attempts to terminate the process of the following security programs:
  • ACKWIN32.exe
  • F-AGNT95.exe
  • ANTI-TROJAN.exe
  • APVXDWIN.exe
  • AUTODOWN.exe
  • AVCONSOL.exe
  • AVE32.exe
  • AVGCTRL.exe
  • AVKSERV.exe
  • AVNT.exe
  • AVP32.exe
  • AVP32.exe
  • AVPCC.exe
  • AVPCC.exe
  • AVPDOS32.exe
  • AVPM.exe
  • AVPM.exe
  • AVPTC32.exe
  • AVPUPD.exe
  • AVSCHED32.exe
  • AVWIN95.exe
  • AVWUPD32.exe
  • BLACKD.exe
  • BLACKICE.exe
  • CFIADMIN.exe
  • CFIAUDIT.exe
  • CFINET.exe
  • CFINET32.exe
  • CLAW95.exe
  • CLAW95CF.exe
  • CLEANER.exe
  • CLEANER3.exe
  • DVP95_0.exe
  • ECENGINE.exe
  • ESAFE.exe
  • ESPWATCH.exe
  • FINDVIRU.exe
  • FPROT.exe
  • IAMAPP.exe
  • IAMSERV.exe
  • IBMASN.exe
  • IBMAVSP.exe
  • ICLOAD95.exe
  • ICLOADNT.exe
  • ICMON.exe
  • ICSUPP95.exe
  • ICSUPPNT.exe
  • IFACE.exe
  • IOMON98.exe
  • JEDI.exe
  • LOCKDOWN2000.exe
  • LOOKOUT.exe
  • LUALL.exe
  • MOOLIVE.exe
  • MPFTRAY.exe
  • N32SCANW.exe
  • NAVAPW32.exe
  • NAVLU32.exe
  • NAVNT.exe
  • NAVW32.exe
  • NAVWNT.exe
  • NISUM.exe
  • NMAIN.exe
  • NORMIST.exe
  • NUPGRADE.exe
  • NVC95.exe
  • OUTPOST.exe
  • PADMIN.exe
  • PAVCL.exe
  • PAVSCHED.exe
  • PAVW.exe
  • PCCWIN98.exe
  • PCFWALLICON.exe
  • PERSFW.exe
  • F-PROT.exe
  • F-PROT95.exe
  • RAV7.exe
  • RAV7WIN.exe
  • RESCUE.exe
  • SAFEWEB.exe
  • SCAN32.exe
  • SCAN95.exe
  • SCANPM.exe
  • SCRSCAN.exe
  • SERV95.exe
  • SPHINX.exe
  • F-STOPW.exe
  • SWEEP95.exe
  • TBSCAN.exe
  • TDS2-98.exe
  • TDS2-NT.exe
  • VET95.exe
  • VETTRAY.exe
  • VSCAN40.exe
  • VSECOMR.exe
  • VSHWIN32.exe
  • VSSTAT.exe
  • WEBSCANX.exe
  • WFINDV32.exe
  • ZONEALARM.exe

Aliases

W32.Bugbear@mm (Symantec), W32/Bugbear-A (Sophos), W32/Bugbear.A@mm (F-Secure), W32/Bugbear.worm, W32/Tanat, W32/Tanat-mm, Win32Bugbear (CA), Worm/Tanatos (CentralCommand), WORM_NATOSTA.A (Trend)
   

Virus Characteristics

---Update 1/16/2003---
Due to a sustained decrease in prevalence, the risk assessment was lowered from Medium to Low.

---Update 10/15/2002---
Due to a decrease in prevalence, the risk assessment was lowered from High to Medium.

---Update 10/07/2002---
W32/Bugbear@MM does not contain a bear icon, but rather a generic icon typically associated with EXE files.

A new version of the JDBGMGR.EXE hoax is circulating, which is tricking users into deleting a file that uses a bear icon. This file, JDBGMGR.EXE, is not related to the W32/Bugbear@MM virus.

---Update 10/03/2002---
The risk assessment of this threat has been raised to High due to the continuing increase in prevalence.

AVERT has released a removal tool to assist infected users with this virus.

---Update 10/02/2002---
The risk assessment of this threat has been raised to Medium On Watch due to an increase in prevalence.

This worm has the ability to spoof, or forge, the 'From:' field. (Often set to an address found on the victim's machine). Additionally the virus can use a fabricated from address, by taking the name before the "@" sign of one address, and the domain name after the "@" sign of another address. (ie. name1@domain1.com + name2@domain2.com = name1@domain2.com)

This virus is written in MSVC and packed with UPX. It affects systems running the Windows operating system. It does not affect MacOS or Linux environments. It spreads via network shares and by emailing itself. It also contains a backdoor trojan component that contains keylogging functionality.

Mass-mailing

This worm emails itself to addresses found on the local system. The virus code contains email subject strings and attachment names. However, the majority of samples received contain information not present in the virus. Suggesting that there is a higher probability of the virus using words and filenames contained on the infected system. Possible message subject lines include the following (however, other random subject lines are also possible):

  • 25 merchants and rising
  • Announcement
  • bad news
  • CALL FOR INFORMATION!
  • click on this!
  • Correction of errors
  • Cows
  • Daily Email Reminder
  • empty account
  • fantastic
  • free shipping!
  • Get 8 FREE issues - no risk!
  • Get a FREE gift!
  • Greets!
  • Hello!
  • Hi!
  • history screen
  • hmm..
  • I need help about script!!!
  • Interesting...
  • Introduction
  • its easy
  • Just a reminder
  • Lost & Found
  • Market Update Report
  • Membership Confirmation
  • My eBay ads
  • New bonus in your cash account
  • New Contests
  • new reading
  • News
  • Payment notices
  • Please Help...
  • Re: $150 FREE Bonus!
  • Report
  • SCAM alert!!!
  • Sponsors needed
  • Stats
  • Today Only
  • Tools For Your Online Business
  • update
  • various
  • Warning!
  • wow!
  • Your Gift
  • Your News Alert

The message body varies and may contain fragments of files found on the victim's system. The attachment name also varies, but may contain the following strings:

  • Card
  • Docs
  • image
  • images
  • music
  • news
  • photo
  • pics
  • readme
  • resume
  • Setup
  • song
  • video
It is common for the attachment name to contain a double-extension (ie. .doc.pif). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher). Many other threats, such as W32/Klez.h@MM, are also detected as Exploit-MIME.gen on the gateway.
    System changes

    When run on the victim machine it copies itself to %WinDir%\%SysDir% as ****.EXE (where * represents random character). For example in testing:

    • Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE
    • 2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE
    The following Registry key is set in order to hook next system startup:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      RunOnce "%random letters%" = %random filename%.EXE (Win9x)

    The worm copies itself to the Startup folder on the victim machine as ***.EXE (where * represents random character), for example:

    • Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE
    • 2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE
      Trojan component

      The worm opens a port on the victim machine - port 36794 TCP and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products.

      This remote access server allows an attacker to upload, and download files, run executes, and terminate processes.

      It drops a DLL on the victim machine - keylogger related. This DLL is detected as PWS-Hooker.dll.

      Spawns Print Jobs on Network Printers

      There have been reports from the field that after execution of the virus it sends print jobs to all network printers. Avert has been able to reproduce this in their labs and the worm attempts to print its file contents to network printers.

      Network share propagation

      The worm attempts to copy itself to the Startup folder of remote machines on the network (as ***.EXE - described above).

         
      Use current engine and DAT files for detection and removal.

      Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

      This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

      Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.
      1. Ensure that you are using the minimum DAT (specified above) or higher
      2. Close all running applications
      3. Disconnect the system from the network
      4. Click START | RUN, type command and hit ENTER
      5. Change to the VirusScan engine directory:
        • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
        • WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
      6. Type scan.exe /adl /clean and hit ENTER
      7. After scanning and removal is complete, reboot the system and reconnect to the network

      Additional Windows ME/XP removal considerations

      Detecting W32/Bugbear@MM infected systems with McAfee ThreatScan