The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in December 2002

Position

Last
month

Malware

Percentage of reports

W32/Bugbear-A

15.8%

W32/Klez-H

10.9%

New

Troj/Tubmo-A

5.9%

Re-entry

W32/Klez-G

4.5%

New

W32/Opaserv-G

3.9%

Re-entry

W32/Nimda-D

2.9%

W32/Opaserv-A

2.7%

W32/Opaserv-F

2.5%

W32/Braid-A

2.2%

Re-entry

W32/ElKern-C

2.2%

Others

46.5%

This section helps you to understand how it behaves

W32/Bugbear-A is a network-aware worm. W32/Bugbear-A spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

If the worm activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the worm.

You will find:

xxx.EXE (usually 50688 bytes) in the Startup folder

yyyy.EXE (usually 50688 bytes) in the System folder

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The two EXE files are executable copies of the worm. The DLL is a keystroke logging tool which is used by the worm when it is activated.

The worm not only adds itself to the Startup folder, but also adds an entry to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This means that the worm will be reactivated when your computer is rebooted.

The worm spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:

Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!

Attachments can have the same filename as another file on the victim's computer but they may contain the following strings:

Readme
Setup
Card
Docs
News
Image
Images
Pics
Resume
Photo
Video
Music
Song
Data

The attachments have double extensions with the final extension being EXE,
SCR or PIF.

Please note that the worm can spoof the From and Reply To fields in the emails it sends.

W32/Bugbear-A has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:

ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE, SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE

The keylogging component of W32/Bugbear-A (the DLL) hooks the keyboard input so that it records keystrokes to memory. When the user next connects to the internet using a dial-up connection, the worm sends this information to one of the following remote email addresses:

mshaw@hispostbox.com mannchris@gala.net gili_zbl@yahoo.com c.willoughby@myrealbox.com brdlhow@ml1.net sc4579@excite.com jwwatson@excite.com stevechurchis@excite.com langobaden@excite.com jacopo58@excite.com sctanner@myrealbox.com erisillen@canada.com sergio52@mac.com rvre2736@fairesuivre.com zr376q@yahoo.com t435556@email.it sdsdfsf@callme.as boxhill@teach.com stickly@login.pe.kr vique@aggies.org sm2001@mail.gerant.com rwilson@singmail.com

W32/Bugbear-A opens port 36794 and listens for commands from a remote machine. Depending on the command issued the remote user may attempt the following on the victim's computer:

Retrieve cached passwords in an encrypted form
Download and execute a file
Find files
Delete files
Execute files
Copy files
Write to files
List processes
Terminate processes

Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).

The remote user may also attempt to open port 80 (HTTP) on the victim's computer, then connect to the backdoor web server (possibly an Apache 1.3.26-type web server) provided by W32/Bugbear-A and thus achieve a level of control over the infected computer.

Example of a remote user accessing an infected computer using the backdoor

W32/Yaha.l	12/30/2002	Low	Low	4240
Killpar.c	12/29/2002	Low	Low	4241
W32/Opaserv.worm.n	12/27/2002	Low	Low	4240
W32/Orfina@MM	12/27/2002	Low	Low	4241
VBS/Renalo@MM	12/26/2002	Low	Low	4241
QDel359	12/23/2002	Low	Low	4241
W32/Yaha.k	12/21/2002	Medium	Medium	4239
W32/Opaserv.worm.m	12/20/2002	Low-Profiled	Low-Profiled	4239
PWS-Tenbot	12/19/2002	Low	Low	4240
W32/RunDoom.worm	12/19/2002	Low	Low	4239
Backdoor-AOE	12/18/2002	Low	Low	4240
W32/Erdine.worm	12/17/2002	Low	Low	4239
JS/Offiz	12/16/2002	Low	Low	4239
W32/Lioten.worm	12/16/2002	Low-Profiled	Low-Profiled	4239
W32/Yaha.j	12/13/2002	Low	Low	4238
PornDial-108 application	12/12/2002	N/A	N/A	4238
Spy-Hiddukel	12/10/2002	Low	Low	4237
MultiDropper-FB	12/10/2002	Low	Low	4238
QDel356	12/10/2002	Low	Low	4238
Poldo	12/10/2002	Low	Low	4237
PornDial-106 application	12/10/2002	N/A	N/A	4238
AdClicker-J	12/04/2002	Low	Low	4237
W32/Holar.c@MM	12/04/2002	Low-Profiled	Low-Profiled	4236
VBS/Hypoth@MM	12/03/2002	Low	Low	4102
Reboot-T	12/03/2002	Low	Low	4237

This web is optimized for 800 x 600 monitor resolution or above and the latest web browser. Get the latest IE or Netscape web browser. (you need to connect to the internet first)