What
is BugBear.B worm and How Did I Get It?
The Bugbear.B worm
is a variant of original BugBear worm released in
the fall of 2002. This worm is a a mass-mailing
worm that also spreads through network shares. It
will not only email to addresses found in the
infected machine, but it will also terminate
anti-virus software, install a keylogger program
to potentially grab users passwords and other
important info, and install a backdoor program to
allow access to the machine from the outside
world. The perfect opportunity for a hacker to
invade a machine.
Its email messages
contain an exploit that allows attachments to
automatically execute when the messages are
viewed or even previewed in Microsoft Outlook and
Outlook Express. The vulnerability exploit
affects systems with unpatched Internet Explorer
5.01 and 5.5. Microsoft has released a patch for
this exploit, however many systems are still not
updated. You can read more information about this
exploit and patch by visiting the Microsoft
security bulletin Incorrect
MIME Header Can Cause IE to Execute E-mail
Attachment.
The worm sends an
email with the following characteristics:
Subject can be any
of the following:
- Hello!
- update
- hmm..
- Payment notices
- Just a reminder
- Correction of
errors
- history screen
- Announcement
- various
- Introduction
- Interesting...
- I need help about
script!!!
- Stats
- Please Help...
- Report
- Membership
Confirmation
- ......
Attachment:
the worm uses filenames in the My Documents
folder location, which have one of the following
extensions:
- .reg
- .ini
- .bat
- .diz
- .txt
- .cpp
- .html
- .htm
- .jpeg
- .jpg
- .gif
- .cpl
- .dll
- .vxd
- .sys
- .com
- .exe
- .bmp
The attachment
contains a double file extension (such as
Attachment.jpg.exe) using one of the following:
Also the filename
can contain one of the following words:
- readme
- Setup
- Card
- Docs
- news
- image
- images
- pics
- resume
- photo
- video
- music
- song
- data
File
infections of local and network drives
The worm can also
infect the following programs on local and
network drives:
- scandskw.exe
- regedit.exe
- mplayer.exe
- hh.exe
- notepad.exe
- winhelp.exe
- Internet Explorer\iexplore.exe
- adobe\acrobat
5.0\reader\acrord32.exe
- WinRAR\WinRAR.exe
- Windows Media
Player\mplayer2.exe
- Real\RealPlayer\realplay.exe
- Outlook Express\msimn.exe
- Far\Far.exe
- CuteFTP\cutftp32.exe
- Adobe\Acrobat
4.0\Reader\AcroRd32.exe
- ACDSee32\ACDSee32.exe
- MSN Messenger\msnmsgr.exe
- WS_FTP\WS_FTP95.exe
- ......
The worm attempts to
copy itself to networked shared drives and does
not differentiate between shared drives or
printers, so it will inadvertently copy itself as
a printer job sending garbled data to network
printers.
Keylogger
The worm drops a
keylogger as a randomly named DLL in the
\Windows\System folder. The file is 5,632 bytes
in size and is detected as PWS.Hooker.Trojan
(according to Symantec). The worm creates
additional encrypted files in the Windows and
\Windows\System folders with randomly named
filenames, with the extensions .dll or .dat.
These files store configuration information and
encrypted keystrokes that the keylogger records.
Auto Dial
The worm
contains over 1000 targeted bank domains, likely
as an attempt to steal passwords more
efficiently. If the worm determines the default
email address of the computer belongs to one of
these domains, it enables auto-dialing in the
registry by setting the following registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
"EnableAutodial"="0000001"
Antivirus
and Security Program Termination
The worm attempts to
terminate antivirus and security product programs
that match the following names:
- ZONEALARM.EXE
- WFINDV32.EXE
- WEBSCANX.EXE
- VSSTAT.EXE
- VSHWIN32.EXE
- VSECOMR.EXE
- VSCAN40.EXE
- VETTRAY.EXE
- VET95.EXE
- TDS2-NT.EXE
- TDS2-98.EXE
- TCA.EXE
- TBSCAN.EXE
- SWEEP95.EXE
- SPHINX.EXE
- SMC.EXE
- SERV95.EXE
- ......
Backdoor
vulnerability
Lastly, the worm
also opens a listening port on port 1080. A
hacker can connect to this port and perform the
following actions:
- Delete files.
- Terminate
processes.
- List processes and
deliver the list to the hacker.
- Copy files.
- Start processes.
- List files and
deliver the list to the hacker.
- Deliver
intercepted keystrokes to the hacker in an
encrypted form. This action could release
confidential information typed on a computer
(passwords, login details, and so on).
- Deliver the system
information to the worm's creator in the
following form:
- User: <user
name>
- Processor:
<type of processor used>
- Windows
version: <Windows version, build
number>
- Memory
information: <Memory available, and so
on>
- Local drives,
their types (for example,
fixed/removable/RAM disk/CD-ROM/remote),
as well as their physical characteristics.
- List the network
resources and their types, and deliver the
list to the worm's creator.
How
to Remove the BugBear.B Worm?
Since Bugbear.B is a
blended virus threat, I would not recommend
trying any simple manual removal of this virus.
Instead, either click on the following link to
download an automatic removal tool or following the directions below to update and
run an antivirus check on your system.
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Bugbear.B during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps to upgrade your
antivirus software and run a thorough virus check
of your system.
- Disable
System Restore (Windows Me/XP).
- Connect to the
Internet and Update the virus definitions.
- Restart the
computer in Safe mode (Windows
95/98/Me/2000/XP) or VGA mode (Windows NT).
- Run a full system
scan and delete or repair all the files
detected as Bugbear.B.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'B':
| 
