¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:I-Worm.Tanatos.a, W32/BugBearQMM, W95/BugBear.A@mm, W32.BugBear@mm
Type:Worm 
Size:50,688 Bytes UPX gepackt oder 
Origin: 
Date:00-00-0000 
Damage:Spreads by email and over shared networks, Keylogger function. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe worm sends itself to all email addresses it can find on the local system. It uses words and file names collected from the system, to name its emails.
The email can look like this, or they can be formed out of arbitrary text lines:

Subject:
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help...
Re: $150 FREE Bonus!
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert

Body: it is variable.

Attachment: it is also variable, but it can be formed out of the following texts:
Card
Docs
image
images
music
news
photo
pics
readme
resume
Setup
song
video

It has a double extension:.doc.pif

The worm tries to copy itself as .exe file on network connected computers.

Technical DetailsWhen activated, the worm copies itself as .exe file in the Windows system directory. For example:
C:\%WinDIR%\%SystemDIR%\FYFA.EXE
C:\%WinDIR%\%SystemDIR%\FVFA.EXE

It changes the registry entry, for automatic start:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunOnce "%random letters%" = %random filename%.EXE (Win9x)

The worm copies itself as .exe file in the startup directory. For example:
C:\%WinDIR%\Start Menu\Programs\Startup\CUK.EXE
C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE

The worm opens port 36794 TCP on the computer and tries to terminate active processes on the system. It creates a .dll named PWS-Hooker.dll.
Descripción insertada por Crony Walker el martes, 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.