W32/Bugbear-D is an internet worm which spreads via file sharing on Kazaa
P2P networks and by emailing itself to contacts in the Windows address book
and to addresses found within files on local and network drives that have
extensions of HTM, SHT, PHP, ASP, DBX, TBB, ADB or WAB.
When first run W32/Bugbear-D copies itself to the Windows system folder as
taskmon.exe and creates the following registry entry, so that taskmon.exe is
run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMon = %SYSTEM%\taskmon.exe
W32/Bugbear-D copies itself to the Kazaa Transfer folder specified by the
registry entry
HKCU\Kazaa\Transfer\DlDir0
using a filename randomly selected from the list:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a random extension of EXE, SCR, PIF or BAT.
Several randomly named files are created in the Windows system folder with an
extension of DLL. One of these files is a 5,632 byte keylogger DLL which is
detected as W32/Bugbear-B and the other files are used for data storage.
W32/Bugbear-D attempts to terminate selected anti-virus and security-related
applications.
W32/Bugbear-D may also log keystrokes, clipboard text and window text and send
this data to a remote account.