Home / malware

PDF

Win32.BugBear.A@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.BugBear.A@mm is also known as I-Worm.Tanatos.

Explanation :

This is an Internet worm that is spreading trough e-mail. The infected e-mail has the following characteristics:

Subject: Randomly selected from:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!

Attachment: Double extension file with final extension: .exe, .pif, .scr.

The worm uses the IFRAME exploit and it will execute itself on preview on some computers with older variants of Internet Explorer.

After the attachment is executed the worm copies itself under a random name in %SYSDIR% and it creates a registry key in:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce\%name%

with value %SYSDIR%\%name% where %SYSDIR% is the system directory and %name% is the random generated name.

It will also copy itself under: %WINDIR%Start MenuProgramsStartUp\%name% on Win9x or Documents and Settings\%user%Start MenuProgramsStartUp\%name% on Windows2000/XP where %user% is the currently logged user name.

The worm drops a dll file in %SYSDIR% that will be used for logging all the keystrokes. That dll is detected as Trojan.KeyLogger.BugBear.A

Also the worm creates 2 .dat files in %WINDIR% and 2 .dll files in %SYSDIR%. Those files are data files and are used by the virus to store all the information gathered from that computer.

The worm has one thread that periodically checks the existence of it's files and the runonce registry key and kills the following processes:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

On a different thread it will scan for mail databases with the extensions: .ods, .inbox, .mmf, .nch, .mbx, .eml, .tbb, .dbx, and will gather some of the e-mails found there. The Worm is spreading to local network as well, by searching the StartUp folder in network shares, and dropping itself there.

It also opens port 36794 and waits for HTTP connections.

Last update 21 November 2011

 

TOP