Hi,

 

Got this from my IT director - scary stuff!

 

Good Evening All,

I wanted to send this e-mail to everyone at ******** for two

reasons. First, to alert you to a new and nasty virus/worm, and second to educate all users about these new classes of virus/worms. This particular virus/worm is called W32/Bugbear.b@MM, it is a variant of the

W32.Bugbear@mm virus/worm. Below, please find the specifics and details about this threat, but more importantly, I hope you will carefully read and understand how incredibly sneaky, persistent, and technologically advanced these virus/worms are becoming. I hope after reading this, you will have a greater appreciation for the dangers these new virus/worms

present to everyone that owns a computer at home, and especially corporations trying to manage many systems. So make SURE your anti-virus software is enabled and your virus definitions are ALWAYS up to date.

 

Steve

IT Director

 

 

Name: W32/Bugbear.b@MM

Risk Assessment

- Home Users: High

- Corporate Users: High

Date Discovered: 6/4/2003

Date Added: 6/4/2003

Origin: Unknown

Length: 72,192 bytes

Type: Virus

SubType: Internet Worm

 

This is a complex worm that contains many different elements:

 

1.Mass-mailer

2.Network Share Propagator

3.Keylogger

4.Remote Access Trojan

5.Polymorphic Parasitic File Infector

6.Security Software Terminator

 

Mass-mailing

This worm emails itself to addresses found on the local system (in

files and email messages). This goes for both the TO and FROM fields.

Thus the sender address is spoofed, or forged, and not a direct

indication of an infected user. It extracts addresses from file names

containing these strings:

 

.DBX

.EML

INBOX

.MBX

.MMF

.NCH

.ODS

.TBB

 

The default SMTP server specified in the Internet Account Manager is

used to send messages:

 

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager

 

The virus code contains email subject strings and attachment names.

However, the original variant of this virus typically mailed using

information not present in the virus. Suggesting that there is a higher

probability of the virus using words and filenames contained on the

infected system (including those from old email messsages). Possible

message subject lines include the following (however, other random

subject lines are also possible):

 

25 merchants and rising

Announcement

bad news

CALL FOR INFORMATION!

click on this!

Correction of errors

Cows

Daily Email Reminder

empty account

fantastic

free shipping!

Get 8 FREE issues - no risk!

Get a FREE gift!

Greets!

Hello!

Hi!

history screen

hmm..

I need help about script!!!

Interesting...

Introduction

its easy

Just a reminder

Lost & Found

Market Update Report

Membership Confirmation

My eBay ads

New bonus in your cash account

New Contests

new reading

News

Payment notices

Please Help...

Re: $150 FREE Bonus!

Report

SCAM alert!!!

Sponsors needed

Stats

Today Only

Tools For Your Online Business

update

various

Warning!

wow!

Your Gift

Your News Alert

 

The message body varies and may contain fragments of files found on the

victim's system (including old email messsages). The attachment name

also varies, but may contain the following strings:

 

Card

Docs

image

images

music

news

photo

pics

readme

resume

Setup

song

video

 

Followed by an extension:

 

.exe

.pif

.scr

 

Filename may also be taken from files found in the personal folder as

denoted in the registry:

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Explorer\Shell Folders\Personal

 

It is common for the attachment name to contain a double-extension (ie.

.doc.pif). Outgoing messages look to make use of the Incorrect MIME

Header Can Cause IE to Execute E-mail Attachment vulnerability

(MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).

Gateway scanners will detect samples using this exploit as

Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or

higher).

 

Installation

The worm copies itself to the START UP folder using a random file

name (such as):

 

Win98 : C:\WINDOWS\Start

Menu\Programs\Startup\BSFS.EXE

2k Pro : C:\Documents and

Settings\(username)\Start Menu\Programs\Startup\BSFS.EXE

 

Network share propagation

The worm attempts to copy itself to the Startup folder of remote

machines on the network (as *.EXE - described above).

 

Keylogging

The virus installs a keylogger DLL, which it uses to captured typed

keystrokes. The name of this DLL is random, contains 7 characters

followed by .dll and is placed in the SYSTEM (%SysDir%) directory. Two

other files, using similar names, are also placed there. These other

files contain encrypted, captured, information. A small randomly named

.dat file is placed in the WINDOWS (%WinDir%) directory.

 

Remote Access Trojan

The worm listens on TCP Port 1080 for commands, allowing a remote

attacker to gain access to the compromised system.

 

Parasitic File Infecting

The virus attempts to infect specific executables. It retrieves the

path to the Program Files directory from the registry:

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir

 

It also tries to infect the following files:

 

hh.exe

mplayer.exe

notepad.exe

regedit.exe

scandskw.exe

winhelp.exe

ACDSee32\ACDSee32.exe

Adobe\Acrobat 4.0\Reader\AcroRd32.exe

adobe\acrobat5.0\reader\acrord32.exe

AIM95\aim.exe

CuteFTP\cutftp32.exe

DAP\DAP.exe

Far\Far.exe

ICQ\Icq.exe

Internet Explorer\iexplore.exe

kazaa\kazaa.exe

Lavasoft\Ad-aware 6\Ad-aware.exe

MSN Messenger\msnmsgr.exe

Outlook Express\msimn.exe

QuickTime\QuickTimePlayer.exe

Real\RealPlayer\realplay.exe

StreamCast\Morpheus\Morpheus.exe

Trillian\Trillian.exe

Winamp\winamp.exe

Windows Media Player\mplayer2.exe

WinRAR\WinRAR.exe

winzip\winzip32.exe

WS_FTP\WS_FTP95.exe

Zone Labs\ZoneAlarm\ZoneAlarm.exe

 

Security Software Terminating (If it finds any of these anti-virus or

security programs running, it will attempt to shutdown or delete the

following programs/files.

 

ACKWIN32.exe

ANTI-TROJAN.exe

APVXDWIN.exe

AUTODOWN.exe

AVCONSOL.exe

AVE32.exe

AVGCTRL.exe

AVKSERV.exe

AVNT.exe

AVP32.exe

AVP32.exe

AVPCC.exe

AVPCC.exe

AVPDOS32.exe

AVPM.exe

AVPM.exe

AVPTC32.exe

AVPUPD.exe

AVSCHED32.exe

AVWIN95.exe

AVWUPD32.exe

BLACKD.exe

BLACKICE.exe

CFIADMIN.exe

CFIAUDIT.exe

CFINET.exe

CFINET32.exe

CLAW95.exe

CLAW95CF.exe

CLEANER.exe

CLEANER3.exe

DVP95.exe

DVP95_0.exe

ECENGINE.exe

ESAFE.exe

ESPWATCH.exe

F-AGNT95.exe

FINDVIRU.exe

FPROT.exe

F-PROT.exe

F-PROT95.exe

F-STOPW.exe

IAMAPP.exe

IAMSERV.exe

IBMASN.exe

IBMAVSP.exe

ICLOAD95.exe

ICLOADNT.exe

ICMON.exe

ICSUPP95.exe

ICSUPPNT.exe

IFACE.exe

IOMON98.exe

JEDI.exe

LOCKDOWN2000.exe

LOOKOUT.exe

LUALL.exe

MOOLIVE.exe

MPFTRAY.exe

N32SCANW.exe

NAVAPW32.exe

NAVLU32.exe

NAVNT.exe

NAVW32.exe

NAVWNT.exe

NISUM.exe

NMAIN.exe

NORMIST.exe

NUPGRADE.exe

NVC95.exe

OUTPOST.exe

PADMIN.exe

PAVCL.exe

PAVSCHED.exe

PAVW.exe

PCCWIN98.exe

PCFWALLICON.exe

PERSFW.exe

RAV7.exe

RAV7WIN.exe

RESCUE.exe

SAFEWEB.exe

SCAN32.exe

SCAN95.exe

SCANPM.exe

SCRSCAN.exe

SERV95.exe

SPHINX.exe

SWEEP95.exe

TBSCAN.exe

TDS2-98.exe

TDS2-NT.exe

VET95.exe

VETTRAY.exe

VSCAN40.exe

VSECOMR.exe

VSHWIN32.exe

VSSTAT.exe

WEBSCANX.exe

WFINDV32.exe

ZONEALARM.exe

 

Indications of Infection

 

- Presense of strange EXE file in the STARTUP

folder

- System listening on TCP Port 1080

Spawns Print Jobs on Network Printers

There have been reports from the field that after execution of the virus

it sends print jobs to all network printers. Avert has been able to

reproduce this in their labs and the worm attempts to print its file

contents to network printers.

 

Method of Infection

 

This virus spreads over the network (via network shares) and by mailing

itself (using it's own SMTP engine).

yeah nasty bugger that one, been around for ages tho, so long as your upto date with your defs your ok