Home / malwarePDF  

Win32.BogusBear.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.BogusBear.A@mm is also known as N/A.

Explanation :

This is an internet worm written in assembly language using encryption techniques in order to slow the analysis process. The virus works on all Windows platforms for Intel processors.
The worm comes as an attached zip file to a mail with the format:
From: Alerta_RaPida boletin@viralert.net
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
Attachment: protect.zip
If the user unzip the archive and executes the file ProTecT.exe the virus will show the following fake message (only when executed the first time):

After the user press the OK button, the virus renames the original regedit.exe file to m_regedit.exe and copies itself as regedit.exe, changing it's icon to regedit's default icon. Next it checks the date to be in the year 2003, in which case will exit Windows.
It installs itself in the system directory as PrTecTor.exe and sets the registry value:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunXRF
With the string data equal to the PrTecTor.exe full path.
It reads the information about the default Internet Account and steals the e-mail addresses from the WAB (Windows Address Book) and puts them into the file m_WAB.xrf from the System directory. It creates a ZIP archive m_prgrm.zip which will be used as an attachment in the infected e-mails, and encodes it in Base64 format (used in e-mail attachments).
After this it checks every minute for an internet connection and when the user connects to the Internet will start sending e-mails with the format shown above to e-mail addresses stored in m_WAB.xrf file. After it sends a successful e-mail, it will delete it from that file.
Disguising itself as regedit.exe, when the user will try to run regedit.exe it will delete the above registry key (so the user cannot detect it by looking to that registry key) and when the program is closed it will write back the registry value.
The author is probably Spanish and calls himself XRF. He named this virus WKaPCOM.
Sending the virus inside an archive will probably trick some deficient antiviral protections at user level or mail-server level.

Last update 21 November 2011

 

TOP