Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Win32/BugBear.B.Worm, W32/Kijmo.A-mm
Type:Worm 
Size:72,192 bytes (UPX packed) 
Origin:USA 
Date:06-05-2003 
Damage: 
VDF Version:6.19.00.xx 
Danger:Medium 
Distribution:High 

SymptomsAn unknown .EXE file appears in the Autostart directory.

DistributionWorm/Bugbear.B infects the following files with a polymorphic code:
* %Windows%\SCANDSKW.EXE
* %Windows%\REGEDIT.EXE
* %Windows%\MPLAYER.EXE
* %Windows%\HH.EXE
* %Windows%\NOTEPAD.EXE
* %Windows%\WINHELP.EXE
* %Programme%\INTERNET EXPLORER\IEXPLORE.EXE
* %Programme%\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
* %Programme%\WINRAR\WINRAR.EXE
* %Programme%\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
* %Programme%\REAL\REALPLAYER\REALPLAY.EXE
* %Programme%\OUTLOOKEXPRESS\MSIMN.EXE
* %Programme%\FAR\FAR.EXE
* %Programme%\CUTEFTP\CUTFTP32.EXE
* %Programme%\ADOBE\ACROBAT 4.0\READER\ACRORD32.EXE
* %Programme%\ACDSEE32\ACDSEE32.EXE
* %Programme%\MSN MESSENGER\MSNMSGR.EXE
* %Programme%\WS_FTP\WS_FTP95.EXE
* %Programme%\QUICKTIME\QUICKTIMEPLAYER.EXE
* %Programme%\STREAMCAST\MORPHEUS\MORPHEUS.EXE
* %Programme%\ZONE LABS\ZONEALARM\ZONEALARM.EXE
* %Programme%\TRILLIAN\TRILLIAN.EXE
* %Programme%\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
* %Programme%\AIM95\AIM.EXE
* %Programme%\WINAMP\WINAMP.EXE
* %Programme%\DAP\DAP.EXE
* %Programme%\ICQ\ICQ.EXE
* %Programme%\KAZAA\KAZAA.EXE
* %Programme%\WINZIP\WINZIP32.EXE)

The worm can terminate the following Firewall processes if active:
* ZONEALARM.EXE
* WFINDV32.EXE
* WEBSCANX.EXE
* VSSTAT.EXE
* VSHWIN32.EXE
* VSECOMR.EXE
* VSCAN40.EXE
* VETTRAY.EXE
* VET95.EXE
* TDS2-NT.EXE
* TDS2-98.EXE
* TCA.EXE
* TBSCAN.EXE
* SWEEP95.EXE
* SPHINX.EXE
* SMC.EXE
* SERV95.EXE
* SCRSCAN.EXE
* SCANPM.EXE
* SCAN95.EXE
* SCAN32.EXE
* SAFEWEB.EXE
* RESCUE.EXE
* RAV7WIN.EXE
* RAV7.EXE
* PERSFW.EXE
* PCFWALLICON.EXE
* PCCWIN98.EXE
* PAVW.EXE
* PAVSCHED.EXE
* PAVCL.EXE
* PADMIN.EXE
* OUTPOST.EXE
* NVC95.EXE
* NUPGRADE.EXE
* NORMIST.EXE
* NMAIN.EXE
* NISUM.EXE
* NAVWNT.EXE
* NAVW32.EXE
* NAVNT.EXE
* NAVLU32.EXE
* NAVAPW32.EXE
* N32SCANW.EXE
* MPFTRAY.EXE
* MOOLIVE.EXE
* LUALL.EXE
* LOOKOUT.EXE
* LOCKDOWN2000.EXE
* JEDI.EXE
* IOMON98.EXE
* IFACE.EXE
* ICSUPPNT.EXE
* ICSUPP95.EXE
* ICMON.EXE
* ICLOADNT.EXE
* ICLOAD95.EXE
* IBMAVSP.EXE
* IBMASN.EXE
* IAMSERV.EXE
* IAMAPP.EXE
* FRW.EXE
* FPROT.EXE
* FP-WIN.EXE
* FINDVIRU.EXE
* F-STOPW.EXE
* F-PROT95.EXE
* F-PROT.EXE
* F-AGNT95.EXE
* ESPWATCH.EXE
* ESAFE.EXE
* ECENGINE.EXE
* DVP95_0.EXE
* DVP95.EXE
* CLEANER3.EXE
* CLEANER.EXE
* CLAW95CF.EXE
* CLAW95.EXE
* CFINET32.EXE
* CFINET.EXE
* CFIAUDIT.EXE
* CFIADMIN.EXE
* BLACKICE.EXE
* BLACKD.EXE
* AVWUPD32.EXE
* AVWIN95.EXE
* AVSCHED32.EXE
* AVPUPD.EXE
* AVPTC32.EX
* EAVPM.EXE
* AVPDOS32.EXE
* AVPCC.EXE
* AVP32.EXE
* AVP.EXE
* AVNT.EXE
* AVKSERV.EXE
* AVGCTRL.EXE
* AVE32.EXE
* AVCONSOL.EXE
* AUTODOWN.EXE
* APVXDWIN.EXE
* ANTI-TROJAN.EXE
* ACKWIN32.EXE
* _AVPM.EXE
* _AVPCC.EXE
* _AVP32.EXE

Worm/Bugbear.B has a backdoor component that is listening on TCP port 1080. This way the attacker is able to run programs, terminate some processes and transfer system information.

Technical DetailsWhen activated, Worm/Bugbear.B makes two .DAT files with different names in Windows directory:
* C:\WINDOWS\<%filename%>.dat
* C:\WINDOWS\<%filename%>.dat
and copies itself as (for Windows 95/98/ME):
* C:\WINDOWS\Start Menu\Programs\Startup\
<%filename%>.EXE
or (Windows NT/2000/XP):
* C:\Documents and Settings\(username)\StartMenu\
Programs\Startup\<%filename%>.EXE

It will make a .DLL file with a random name of 7 characters that contains the logging data of the user: C:\Windows\System\<%filename%>.dll

Worm/Bugbear.B is searching on the local hard disk the files that contain the following strings: .DBX, .TBB, .EML, .MBX, .NCH, .MMF, INBOX, .ODS. It looks for email addresses to send itself to, using its SMTP engine.

The Subject of this email can be:
* Market Update Report
* empty account
* update
* hmm..
* Payment notices
* Just a reminder
* Correction of errors
* Membership Confirmation
* Get a FREE gift!
* Today Only
* New Contests
* Lost & Found
* bad news
* wow!
* fantastic
* click on this!
* I need help about script!!!
* Stats
* Please Help...
* Report
* free shipping!
* News
* Daily Email Reminder
* Tools For Your Online Business
* New bonus in your cash account
* My eBay ads
* Cows
* 25 merchants and rising
* CALL FOR INFORMATION!
* new reading
* Hello!
* Your Gift
* Re:
* $150 FREE Bonus!
* Your News Alert
* Hi!
* Get 8 FREE issues - no risk!
* Greets!
* Sponsors needed
* SCAM alert!!!
* Warning!
* its easy
* history screen
* Announcement
* various
* Introduction
* Interesting...

The attachment of the infected email can vary. The file extension is often double:

* <%filename%>.html.exe
* <%filename%>.doc.scr
The worm is searching for a name of the attachment in all files from "My documents" folder. In case there are no documents saved, the worm carries some names with it:

readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song or data

One of the following will be used as first extension:
* .txt
* .vxd
* .sys
* .cpp
* .html
* .reg
* .ini
* .bat
* .diz
* .htm
* .jpeg
* .jpg
* .gif
* .cpl
* .dll
* .com
* .exe
* .bmp

For the second extension, the worm uses one of these:
* scr
* .pif
* .exe
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .