W32/BabyBear-A

Category: Viruses and Spyware Protection available since:28 Jul 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:28 Jul 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/BabyBear-A is a worm that will send itself to all entries found in the address book. It will arrive in an email with one of the following subject and message text combinations:

Subject line: Please Confirm
Message text:
Dear Sir or Madame, We have detected that you have placed a Order for
Msn8. Before we start your Service please confirm your order. To confirm
your order please check the attachement. Thanks, Microsoft Corporation
Support

Subject line: File You Requested
Message text: Hey Here is the file you wanted

The attachment filename will depend on what file name the worm had when it was executed.

W32/BabyBear-A displays a message box with the following fake error:
"Application Error! Missing .Dll File" and displays a picture with references to the Bugbear worm.

From the Creators of BugBear

W32/BabyBear-A will copy itself to the following paths:
C:\Attachment.exe
C:\jNotepad.exe
C:\kNotepad.exe
C:\lNotepad.exe
C:\My Shared Folder\Avril vs. Madonna Video.exe
C:\My Shared Folder\file manager program.exe
C:\My Shared Folder\Modem Booster.exe
C:\My Shared Folder\Msn 8 Full.exe
C:\My Shared Folder\Norton Anti-Virus 2003 Cracked!.exe
C:\My Shared Folder\Virtual Sex.exe
C:\My Shared Folder\Windows Xp Home Edition Key Gen.exe
C:\My Shared Folder\Windows Xp Home Edition SP1 Serial.exe
C:\Njotepad.exe
C:\Nkotepad.exe
C:\Nlotepad.exe
C:\Nojtepad.exe
C:\Noktepad.exe
C:\Noltepad.exe
C:\Noqtepad.exe
C:\Nortepad.exe
C:\Notejpad.exe
C:\Notekpad.exe
C:\Notelpad.exe
C:\Notepad.exe
C:\Notepadj.exe
C:\Notepadk.exe
C:\Notepadl.exe
C:\NotepadQ.exe
C:\NotepadW.exe
C:\Notepajd.exe
C:\Notepakd.exe
C:\Notepald.exe
C:\NotepaQd.exe
C:\NotepaWd.exe
C:\Notepjad.exe
C:\Notepkad.exe
C:\Noteplad.exe
C:\NotepQad.exe
C:\NotepWad.exe
C:\NoteQpad.exe
C:\NoteWpad.exe
C:\Notjepad.exe
C:\Notkepad.exe
C:\Notlepad.exe
C:\NotQepad.exe
C:\Notrepad.exe
C:\NotWepad.exe
C:\NoWtepad.exe
C:\Nqotepad.exe
C:\Nrotepad.exe
C:\NWotepad.exe
C:\qNotepad.exe
C:\rNotepad.exe
C:\Windows\Defrag.exe
C:\Windows\fNotrepad.exe
C:\Windows\Notrefpad.exe
C:\Windows\Notrepad.erxe
C:\Windows\Notrepad.exe
C:\Windows\Notrepad.exef
C:\Windows\Notrepadg.exe
C:\Windows\Notrepadr.exe
C:\Windows\Notrepagd.exe
C:\Windows\Notrepajd.exe
C:\Windows\Notrepard.exe
C:\Windows\Notrepatd.exe
C:\Windows\Notrerpad.exe
C:\Windows\Notretpad.exe
C:\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
C:\Windows\Systefm\Notrepad.exe
C:\Windows\Systegfm\Notrepad.exe
C:\windows\system\Microsoft.ini
C:\Windows\System\Ngotrepad.exe
C:\Windows\System\Nhotrepad.exe
C:\Windows\System\Nodtrepad.exe
C:\Windows\System\Nogtrepad.exe
C:\Windows\System\Notrepad.exe
C:\Windows\System\Notrepdad.exe
C:\Windows\System\Notrtepad.exe
C:\Windows\System\Noturepad.exe
C:\Windows\System\Nrotrepad.exe
C:\Windows\System\Ntotrepad.exe
C:\Windows\Welcome.exe
C:\Windowsf\Notrepad.exe
C:\WNotepad.exe
C:\Wscript.exe

and will create the following registry entries to ensure it is run at system startup:

HKLM\Software\microsoft\windows\currentversion\run\Msgmgr
HKLM\Software\microsoft\windows\currentversion\run\Microsoft Corporation

Both of the previous two registry entries point to a location that contains a copy of the worm.

W32/BabyBear-A creates a system tray icon and if this icon is clicked your system will shutdown.

W32/BabyBear-A will also create the following empty folders:
C:\$nProgram Files\System
C:\2Coding7
C:\2Program Files\System
C:\3Coding51
C:\C2oding1
C:\C4oding67
C:\Cchoding74
C:\cCoding55
C:\cCoding67
C:\Ccoding74
C:\Ccodinllg74
C:\cCodlling67
C:\cCoduuing55
C:\Cczhoding74
C:\chCoding67
C:\Cjroding466
C:\Cnoding1
C:\Co2ding2
C:\Co4ding74
C:\Cod2ing3
C:\Codi2ng4
C:\Codi3ng11
C:\Codin2g5
C:\Codin3g23
C:\Codincg11
C:\Codincg23
C:\Codincgkk23
C:\Codincguu11
C:\Codinchg11
C:\Codincyg23
C:\Codinczyg23
C:\Coding1
C:\Coding11
C:\Coding12
C:\Coding142
C:\Coding2
C:\Coding23
C:\Coding23j
C:\Coding26
C:\Coding2c3
C:\Coding2ch3
C:\Coding3
C:\Coding31
C:\Coding331
C:\Coding4
C:\Coding411
C:\Coding42
C:\Coding432
C:\Coding44
C:\Coding44c
C:\Coding44j
C:\Coding466
C:\Coding4c2
C:\Coding4cy2
C:\Coding4czy2
C:\Coding4t4
C:\Coding5
C:\Coding51
C:\Coding51c
C:\Coding55
C:\Coding55t
C:\Coding5r1
C:\Coding6
C:\Coding67
C:\Coding67r
C:\Coding7
C:\Coding74
C:\Coding7n
C:\Coding7xn
C:\Codingc12
C:\Codingc12uu
C:\Codingc31
C:\Codingc31kk
C:\Codingch12
C:\Codingcy31
C:\Codingczy31
C:\Codingd2
C:\Codingd2yy
C:\Codingf1
C:\Codingn6
C:\Codingr42
C:\Codings3
C:\Codings4
C:\Codingsy4
C:\Codingt23
C:\Codingxn6
C:\Codingys3
C:\Codingyyf1
C:\Codinkkcg11
C:\Codinng4
C:\Codinng5
C:\Codinrg31
C:\Codintg12
C:\Codinxng5
C:\Codinycg11
C:\Codinygd2
C:\Codinzg466
C:\Codinzycg11
C:\Codinzzg67r
C:\Codirng23
C:\Codirng2xx3
C:\Coditng11
C:\Codixnng4
C:\Codiyngf1
C:\Codiyyng17
C:\Codizng55t
C:\Codizngsy4
C:\Codning3
C:\Codring11
C:\Codrinxxg11
C:\Codsing5
C:\Codsing5y
C:\Codsing6
C:\Codsinjjg6
C:\Codsizng5y
C:\Codsjjing5
C:\Codxning3
C:\Codzing4t4
C:\Codzingys3
C:\Codzzing5r1
C:\Cojjdings4
C:\Cojrding17
C:\Collding51c
C:\Conding2
C:\Cording17
C:\Cording1uu7
C:\Couuding44c
C:\Coxnding2
C:\Coyyding466
C:\Cozdingt23
C:\Cozdinygd2
C:\Croding466
C:\Crodinuug466
C:\Csoding7
C:\Csoding7jj
C:\Cysoding7
C:\Cysodinzg7
C:\czhCoding67
C:\Czodintg12
C:\Czodiyngf1
C:\Czzodingr42
C:\H2elp
C:\hCoding51cy
C:\hCoding51zcy
C:\Hechlp8
C:\Heclp8
C:\Heczhlp8
C:\Hel4p8
C:\Heljrp1
C:\Help
C:\Help1
C:\Help8
C:\Helrp1
C:\Helrp1uf
C:\Heslp
C:\Heyslp
C:\Hezyslp
C:\Hlueclp8
C:\Htelp8
C:\Htelpz8
C:\Hyelp1
C:\jcCoding55
C:\jjCodings3
C:\kkHeslp
C:\llCoding4c2
C:\nProgram Files\System
C:\Pro3gram Files\System1
C:\Progchra1m Files\System
C:\Progcra1m Files\System
C:\Progcuura1m Files\System
C:\Progdram Files\System1
C:\Progr4a1m Files\System
C:\Progra1m Files\System
C:\Program Files\System
C:\Program Files\System1
C:\Progrgam Files\System
C:\Progydram Files\System1
C:\Progyyrgam Files\System
C:\Progzydram Files\System1
C:\Prokkgdram Files\System1
C:\Protgra1m Files\System
C:\Protgraz1m Files\System
C:\Proygrgam Files\System
C:\Prrogram Files\System1
C:\Prroxxgram Files\System1
C:\rHelp
C:\tCoding17
C:\tCoding74
C:\tCodinzg17
C:\tCodizngzz74
C:\Th3e Sims
C:\The 2Sims
C:\The 4S1ims
C:\The jr2Sims
C:\The r2Sims
C:\The rddaljflajflkjorjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj2Sims
C:\The S1ims
C:\The Sims
C:\Thec S1ims
C:\Thech S1ims
C:\Theczzh S1ims
C:\Thes Sims
C:\Theuuc S1ims
C:\Theys Sims
C:\Thezys Sims
C:\Thkes Sims
C:\Thte S1ims
C:\Thte Sz1ims
C:\Thye 2Sims
C:\Thye 2Szims
C:\Thyye 2Sims
C:\Trhe Sims
C:\Trxxhe Sims
C:\uuCoding2c3
C:\xxrHelp
C:\yCodsing6
C:\yCodsizng6
C:\yyCoding55
C:\yyHelp1
C:\zCodinrg31
C:\zCoditng1z1
C:\zProygrgam Files\System

download Try Sophos products for free
Download now