Home / malwarePDF  

Win32.BugBear.D@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.BugBear.D@mm is also known as I-Worm.Tanatos.e, (KAV.

Explanation :

Previously detected as Win32.BugBear.Gen@mm, the worm spreads like the former variants by mail in the following format:

Subject: one of the following:

Greets!
!!! WARNING !!!
Hi!
sexy
good news!
Re:
Your Gift
Sex pictures
I cannot forget you!
Fwd:
News
You are fat!
Love
Warning!
photo
Friendly
new reading
;)
I love you!
Is that your password?
photos
empty account
Old photos
Me nude
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
[Fwd: look] ;-)
Greetings!
Report
Please Help...
Stats
I need photo!!!
Interesting...
Introduction
various
Announcement
history screen
look
Just a reminder
Payment notices
hmm..
update
Hello!
Body: one of the following:

Take a look to the attachment
See the attached file for more info
Please see Attachment
Pease open an attachment to see the message.
see attachment
See the attached file
please,read the attach file.
Attachment: A Zip archive or a file with a name taken from the infected computer or one of:

Readme.txt
Love.jpg
You.jpg
Myphoto.jpg
News.doc
Image.jpg
Message.txt
Pic.jpg
Girls.jpg
Photo.jpg
Video.avi
Music.mp3
Song.wav
A000032.jpg
followed by many spaces before the real SCR extension.

It copies itself with a random name: %random%.exe in the Windows System directory: %WINSYS%
It executes the copied file.
It displays a fake WinZip message box with the following text:
bad CRC 23bb8dea (should be 0be7841c).

The %WINSYS% copy does the following:

It adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun\%random%
With value:
%WINSYS%\%random%.exe

It tries to register itself as a service (under Win9X machines)
It creates a .dat file for storing e-mail addresses.
It drops a key logger component in %WinSYS% folder with a random name and .dll extension. This component is detected as Trojan.KeyLogger.BugBear.B
It creates 2 files with dll extension and random name. In these files the worm keeps encrypted data gathered from the computer.
At every 20 seconds it search for and kills a list of antivirus and shield processes.
The worm registers the actions of the user. This information is then sent to an e-mail address.

It searches for e-mail addresses in all the files with the following extensions:

sht
txt
asp
htm
ods
inbox
mmf
nch
mbx
eml
tbb
dbx
And it send itself to all the e-mails it finds in the same format it arrives.

Last update 21 November 2011

 

TOP