Alias:I-Worm.Tanatos
Type:Worm 
Size:50,688 bytes 
Origin:unknown 
Date:09-30-2002 
Damage: 
VDF Version:  
Danger:Medium 
Distribution:High 

General DescriptionWorm/BugBear is a mass mailer that can spread itself over mapped network drives. The worm is able to terminate some antivirus software and firewalls.

SymptomsIt terminates running processes or applications of some antivirus software or firewalls. Opens port 36794 enabling the access to infected computers.

DistributionWorm/Bugbear sends itself by email, using its own SMTP engine. It also spreads over networks from the infected computers.

Technical DetailsIt is a worm, which spreads itself by sending emails. It can also spread over local Intranet, through mapped network drives. The worm's size is 50,588 bytes and it is packed with UPX.

When activated, Worm/Bugbear copies itself in the Windows system in files with random names (TOYT.EXE for example). The worm makes the following Auto run registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce]
"pwi"="toyt.exe"

The name "pwi" is randomly chosen. Another copy is created in Auto start folder of the start menu, with a random name, too. Worm/BugBear carries along a keylogger component as .DLL file with a random name, in Windows system. Another .DLL file will contain encoded information.

The worm spreads by sending emails, using the standard SMTP server. It finds email addresses in files with the following extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB, .DBX or *INBOX*.

The subject of the email is one of the following:

* Greets!
* Get 8 FREE issues - no risk!
* Hi!
* Your News Alert
* $150 FREE Bonus!
* Re:
* Your Gift
* New bonus in your cash account
* Tools For Your Online Business
* Daily Email Reminder
* News
* free shipping!
* its easy
* Warning!
* SCAM alert!!!
* Sponsors needed
* new reading
* CALL FOR INFORMATION!
* 25 merchants and rising
* Cows
* My eBay ads
* empty account
* Market Update Report
* click on this!
* fantastic
* wow!
* bad news
* Lost & Found
* New Contests
* Today Only
* Get a FREE gift!
* Membership Confirmation
* Report
* Please Help...
* Stats
* I need help about script!!!
* Interesting...
* Introduction
* various
* Announcement
* history screen
* Correction of errors
* Just a reminder
* Payment notices
* hmm..
* update
* Hello!

In other cases the subject can be totally different.

The body and attachment name can vary. But the attachment can have a double extension, with .exe, .scr or .pif as the last one.

If the worm finds a mapped network drive on a computer, it will copy itself in the Auto Start folder.

The worm searches for the following applications and terminates them:

APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE AVPM.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE

The worm opens port 36794 and thus enables access to the infected computer.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .