Subscribe

0

Tech

Protect yourself from the Bugbear worm

author-image
CIOL Bureau
Updated On
New Update

BANGALORE - AVERT (Anti-Virus Emergency Response Team), the anti-virus research division
of Network Associates, Inc. has assigned a High risk assessment to the recently discovered W32/Bugbear,b@MM, also known as Bugbear. Bugbear.b is a complex mass-mailing worm that contains many different elements and spreads via network shares and by emailing itself to addresses found in the user's local address book. It was first discovered on Tuesday and has been found in numerous countries including North America and Europe.

Advertisment


>Symptoms


Bugbear is an Internet mass mailing worm that, once activated, emails itself to addresses found on the local system The sender address can be spoofed, or forged, and is not a direct indication of an infected user. Additionally, it extracts addresses from file names containing these strings:


  • .DBX

  • .EML

  • INBOX

  • .MBX

  • .MMF

  • .NCH

  • .ODS

  • .TBB

Advertisment

Bugbear spreads using network shares and by mailing itself using the default SMTP engine. Users will know that they have been infected by the presence of non-standard .EXE file in the startup folder and that the system will be listening on TCP Port 1080. It also contains a long list of domain names, seemingly for email forging purposes that include:


  • 1natbanker.com

  • 1nationalbank.com

  • 1stfederal.com

  • 1stnatbank.com

  • 1stnationalbank.com

  • 365online.com 53.com

Because Bugbear utilizes numerous subject headers, users should immediately delete email containing the following:

Advertisment

Subject:


  • Announcement

  • Daily Email Reminder

  • fantastic

  • free shipping!

  • Get 8 FREE issues - no risk!

  • Get a FREE gift!

  • Hello!

  • Hi!

  • hmm..

  • Interesting...

  • Introduction

  • Just a reminder

  • Lost & Found

  • Market Update Report

To view the complete list of potential email subject lines, please visit the description page on AVERT's site at: http://vil.nai.com/vil/content/v_100358.htm.

Advertisment

Body of email:

The message body and attachment name vary and may contain fragments of files found on the victim's system. The attachment name also varies, but may contain the following strings:


  • Card

  • Docs

  • image

  • images

  • music

  • news

  • photo

  • pics

  • readme

  • resume

  • Setup

  • song

  • video

Advertisment

Once Bugbear infects a computer system, it will attempt to terminate the process of the system's security programs. For example:


  • ACKWIN32.exe

  • ANTI-TROJAN.exe

  • AUTODOWN.exe

  • AVE32.exe

  • AVKSERV.exe

  • AVPDOS32.exe

  • AVPM.exe

  • BLACKICE.exe

  • SAFEWEB.exe

  • SCANPM.exe

  • SCRSCAN.exe

  • SERV95.exe

  • VET95.exe

  • VETTRAY.exe

  • VSCAN40.exe

  • ZONEALARM.exe

To view the complete list security programs affected, please visit the description page on AVERT's site at: http://vil.nai.com/vil/content/v_100358.htm.

Advertisment

Additionally, Bugbear.b contains a polymorphic parasitic file infector, meaning that the virus changes with each infection. It retrieves the path to the Program Files directory from the registry:

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir

It also tries to infect multiple files including:

Advertisment


  • hh.exe

  • mplayer.exe

  • notepad.exe

  • regedit.exe

  • scandskw.exe

  • winhelp.exe

  • ACDSee32\ACDSee32.exe

  • Adobe\Acrobat 4.0\Reader\AcroRd32.exe

  • adobe\acrobat5.0\reader\acrord32.exe

  • AIM95\aim.exe

  • CuteFTP\cutftp32.exe

tech-news