The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in June 2003

This section is for technical experts who want to know more.

W32/Bugbear-B is a network-aware virus. W32/Bugbear-B spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.
 

The virus attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this virus.)

If the virus activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the virus.

You will find:

xxxx.EXE (usually 72192 bytes) in the Startup folder

and

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The EXE file is an executable copy of the virus. The DLL is a keystroke logging tool which is used by the virus when it is activated.

The virus spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:

Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!

Attachments can have the same filename as another file on the victim's computer.
The attachments have double extensions with the final extension being EXE, SCR or PIF.

Please note that the virus can spoof the From and Reply To fields in the emails it sends.

Additionally, W32/Bugbear-B will infect the following files in the Windows folder:

scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe

and the following files in the Program Files folder:

Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe

W32/Bugbear-B has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:

ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE, SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE

The keylogging component of W32/Bugbear-B (the DLL) hooks the keyboard input so that it records keystrokes to memory.

W32/Bugbear-B opens port 1080 and listens for commands from a remote machine. Depending on the command issued the remote user may attempt the following on the victim's computer:

Retrieve cached passwords in an encrypted form
Download and execute a file
Find files
Delete files
Execute files
Copy files
Write to files
List processes
Terminate processes

Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).
The remote user may also attempt to open port 80 (HTTP) on the victim's computer, then connect to the backdoor web server (possibly an Apache 1.3.26-type web server) provided by W32/Bugbear-B and thus achieve a level of control over the infected computer.

Example of a remote user accessing an infected computer using the backdoor

Example of a remote user accessing an infected computer using the backdoor

Example of a remote user accessing an infected computer using the backdoor

Our VIRUS Alert Post for June 2003

Here you will find recent virus alerts...