-
This worm propagates via shared network folders and via email.
-
It also terminates antivirus programs, act as a backdoor server application, and sends out system passwords - all of which compromise security on infected machines.
-
BugBear Infection
-
This worm fakes the FROM field and obtains the recipients for its email from email messages, address books and mailboxes on the infected system. It generates the filename for the attached copy of itself from the following:
-
A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo, video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing system file appended with any of the following extensions: SCR, PIF or EXE.
-
On systems with un patched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.
-
 |
W32/Bugbear-A is a network-aware worm. W32/Bugbear-A spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.
Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.
| Threat | The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. |
If the worm activates, several new files will appear on the infected computer. Their names consist of letters of the alphabet randomly chosen by the worm.
-
xxx.EXE (usually 50688 bytes) in the Startup folder
-
yyyy.EXE (usually 50688 bytes) in the System folder
-
zzzzzzz.DLL (usually 5632 bytes) in the System folder
The two EXE files are executable copies of the worm. The DLL is a keystroke logging tool which is used by the worm when it is activated. The worm not only adds itself to the Startup folder, but also adds an entry to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion \RunOnce
This means that the worm will be reactivated when the infected computer is rebooted.
The worm spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:
| Hello! Update Payment notices Just a reminder Correction of errors history screen Announcement various Introductions Interesting... I need help about script!!! Please Help... Get 8 FREE issues - no risk! Greets! | Report Membership Confirmation Get a FREE gift! Today Only New Contests Lost & Found bad news fantastic click on this! Market Update Report empty account My eBay ads 25 merchants and rising Your News Alert | CALL FOR INFORMATION! New reading Sponsors needed SCAM alert!!! Warning! Its easy free shipping! Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift $150 FREE Bonus! |
Attachments can have the same filename as another file on the victim's computer but they may contain the following strings:
Readme, Setup, Card, Docs, News, Image, Images, Pics, Resume, Photo, Video, Music, Song, Data.
The attachments have double extensions with the final extension being EXE, SCR or PIF. The worm can spoof the from and Reply To fields in the emails it sends.
W32/Bugbear-A has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:
ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE, SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE
The keylogging component of W32/Bugbear-A (the DLL) hooks the keyboard input so that it records keystrokes to memory. When the user next connects to the internet using a dial-up connection, the worm sends this information to one of the following remote email addresses:
W32/Bugbear-A opens port 36794 and listens for commands from a remote machine. Depending on the command issued the remote user may attempt the following on the victim's computer:
-
Retrieve cached passwords in an encrypted form
-
Download and execute a file
-
Find files / Delete files / Execute files / Copy files / Write to files
-
List processes / Terminate processes
-
Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).
The remote user may also attempt to open port 80 (HTTP) on the victim's computer, then connect to the backdoor web server (possibly an Apache 1.3.26 -type web server) provided by W32/Bugbear-A and thus achieve a level of control over the infected computer.
Posts
0 comments:
Post a Comment