W32/Bugbear-A

Category: Viruses and SpywareProtection available since:30 Sep 2002 00:00:00 (GMT)
Type: Win32 wormLast Updated:20 Aug 2009 17:51:24 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Bugbear-A is an internet worm which spreads via SMTP and can also spread
to network shares.

The worm copies itself to the Windows system folder as a random four-letter
EXE file and to the Startup folder as a random three-letter EXE file and adds
an entry to the registry at
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
to run itself on system restart. The worm also drops a random seven-letter DLL
plugin in the Windows system folder which is related to recording key strokes.

Emails can have any subject and message text or they may have no body and one
of the following subject lines:
"Hello!"
"update"
"Payment notices"
"Just a reminder"
"Correction of errors"
"history screen"
"Announcement"
"various"
"Introduction"
"Interesting..."
"I need help about script!!!"
"Please Help..."
"Report"
"Membership Confirmation"
"Get a FREE gift!"
"Today Only"
"New Contests"
"Lost & Found"
"bad news"
"fantastic"
"click on this!"
"Market Update Report"
"empty account"
"My eBay ads"
"25 merchants and rising"
"CALL FOR INFORMATION!"
"new reading"
"Sponsors needed"
"SCAM alert!!!"
"Warning!"
"its easy"
"free shipping!"
"Daily Email Reminder"
"Tools For Your Online Business"
"New bonus in your cash account"
"Your Gift"
"$150 FREE Bonus!"
"Your News Alert"
"Get 8 FREE issues - no risk!"
"Greets!"

Attachments can have the same filename as another file on the victim's computer
but they may contain the following strings:
Readme
Setup
Card
Docs
News
Image
Images
Pics
Resume
Photo
Video
Music
Song
Data

The attachments have double extensions with the final extension being EXE,
SCR or PIF.

W32/Bugbear-A has a thread running in the background which terminates programs
with one of the following filenames:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

W32/Bugbear-A also opens port 36794 and sends a notification email via SMTP to
an external address which contains confidential information about the victim's
computer such as username, password and keylogging information.