W32/Bugbear-D

Aliases	W32/Mydoom.j@MM
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	20 April 2004 14:39:15 (GMT)
Last updated	21 October 2008 11:55:00 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMon = %SYSTEM%\taskmon.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Bugbear-D is an internet worm which spreads via file sharing on Kazaa
P2P networks and by emailing itself to contacts in the Windows address book
and to addresses found within files on local and network drives that have
extensions of HTM, SHT, PHP, ASP, DBX, TBB, ADB or WAB.

When first run W32/Bugbear-D copies itself to the Windows system folder as
taskmon.exe and creates the following registry entry, so that taskmon.exe is
run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMon = %SYSTEM%\taskmon.exe

W32/Bugbear-D copies itself to the Kazaa Transfer folder specified by the
registry entry

HKCU\Kazaa\Transfer\DlDir0

using a filename randomly selected from the list:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a random extension of EXE, SCR, PIF or BAT.

Several randomly named files are created in the Windows system folder with an
extension of DLL. One of these files is a 5,632 byte keylogger DLL which is
detected as W32/Bugbear-B and the other files are used for data storage.

W32/Bugbear-D attempts to terminate selected anti-virus and security-related
applications.

W32/Bugbear-D may also log keystrokes, clipboard text and window text and send
this data to a remote account.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bugbear-D

Summary

Action

More Information