W32/Bugbear-A

Aliases	Tanat Tanatos WORM_NATOSTA.A W32/Bugbear@MM I-Worm/Keywo Worm/Tanatos.1 Worm/Tanatos.2
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	November 2002 (3.63)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

See the information on disinfecting W32/Bugbear-A.

More Information

Summary
Action
More Information

W32/Bugbear-A is a network-aware worm. W32/Bugbear-A spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

If the worm activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the worm. You will find:

xxx.EXE (usually 50688 bytes) in the Startup folder

yyyy.EXE (usually 50688 bytes) in the System folder

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The two EXE files are executable copies of the worm. The DLL is a keystroke logging tool which is used by the worm when it is activated.

The worm not only adds itself to the Startup folder, but also adds an entry to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This means that the worm will be reactivated when your computer is rebooted.

The worm spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:

Attachments can have the same filename as another file on the victim's computer but they may contain the following strings:

The attachments have double extensions with the final extension being EXE,
SCR or PIF.

Please note that the worm can spoof the From and Reply To fields in the emails it sends.

W32/Bugbear-A has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:

ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE, SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE

The keylogging component of W32/Bugbear-A (the DLL) hooks the keyboard input so that it records keystrokes to memory. When the user next connects to the internet using a dial-up connection, the worm sends this information to one of the following remote email addresses:

mshaw@hispostbox.com mannchris@gala.net gili_zbl@yahoo.com c.willoughby@myrealbox.com brdlhow@ml1.net sc4579@excite.com jwwatson@excite.com stevechurchis@excite.com langobaden@excite.com jacopo58@excite.com sctanner@myrealbox.com erisillen@canada.com sergio52@mac.com rvre2736@fairesuivre.com zr376q@yahoo.com t435556@email.it sdsdfsf@callme.as boxhill@teach.com stickly@login.pe.kr vique@aggies.org sm2001@mail.gerant.com rwilson@singmail.com

W32/Bugbear-A opens port 36794 and listens for commands from a remote machine. Depending on the command issued the remote user may attempt the following on the victim's computer:

Retrieve cached passwords in an encrypted form
Download and execute a file
Find files
Delete files
Execute files
Copy files
Write to files
List processes
Terminate processes
Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).

The remote user may also attempt to open port 80 (HTTP) on the victim's computer, then connect to the backdoor web server (possibly an Apache 1.3.26-type web server) provided by W32/Bugbear-A and thus achieve a level of control over the infected computer.

Example of a remote user accessing an infected computer using the backdoor

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bugbear-A

Summary

Action

More Information