From www.e-secure-it.us
DETAILED DESCRIPTION OF BUGBEAR, HOW TO RECOGNISE AND FIRST AID KIT. Bugbear / Tanatos This virus is written in MSVC and packed with UPX. It shuts down anti-virus and firewall software designed to block out intruders and can spread by dropping copies of itself into folders on shared networks, which are commonly used at corporations and large organizations. The worm's most interesting feature is a Trojan horse component called PWS-Hooker that secretly watches every keystroke on an infected computer, and stores the captured information on the computer in encrypted form. The data can be accessed later by the virus writer or anyone else who happens upon the infected computer, or it can be e-mailed to the author. Bugbear might be spreading because it is cleverly crafted and difficult to spot with the naked eye. It arrives in a victim's e-mail inbox with a subject line chosen randomly from dozens of possibilities, including: Possible message subject lines include the following (however, other random subject lines are also possible): 25 merchants and rising Announcement bad news CALL FOR INFORMATION! click on this! Correction of errors Cows Daily Email Reminder empty account fantastic free shipping! Get 8 FREE issues - no risk! Get a FREE gift! Greets! Hello! Hi! history screen hmm.. I need help about script!!! Interesting... Introduction its easy Just a reminder Lost & Found Market Update Report Membership Confirmation My eBay ads New bonus in your cash account New Contests new reading News Payment notices Please Help... Re: $150 FREE Bonus! Report SCAM alert!!! Sponsors needed Stats Today Only Tools For Your Online Business update various Warning! wow! Your Gift Your News Alert The message body varies and may contain fragments of files found on the victim's system. The attachment name also varies, but may contain the following strings: Card Docs image images music news photo pics readme resume Setup song video The actual infected file arrives as an attachment, which also has a random name. And Bugbear's first task, upon infection, is to disable all installed antivirus software. It's throwing a lot of things at people to see if it can find something to slip under the radar. Once activated, the virus shuts down scores of vital processes used by Windows and by antivirus software, records user keystrokes, opens a backdoor to the infected machine for use by attackers, and attempts to mail copies of itself out to other users, randomly generating new subject lines and virus executable names as it does W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts to spread via network shares. The worm copies itself to the Windows system folder as a file with a random four-letter name and an EXE extension and adds to the following registry entry to run this file on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce W32/Bugbear-A also drops a copy of itself in the Windows start up folder so that is run on system restart. The worm drops a randomly-named DLL file, which is related to logging keystrokes, in the Windows system folder. It can also terminate certain firewall and antivirus programs. How to recognise: The virus file is attached to e-mails with a wide variety of subject lines : Attachment Length: 50,688 bytes (UPXed) or 50,664 bytes The subject line, name of the attachment and text in the body of the message can vary, and the attachment name typically has a double extension, such as .xxx.pif, .xxx.scr etc IF YOU ARE INFECTED: Symptoms: Method Of Infection This virus spreads over the network (via network shares) and by mailing itself (using it's on SMTP engine). It attempts to terminate the process of the following security programs: ACKWIN32.exe F-AGNT95.exe ANTI-TROJAN.exe APVXDWIN.exe AUTODOWN.exe AVCONSOL.exe AVE32.exe AVGCTRL.exe AVKSERV.exe AVNT.exe AVP32.exe AVP32.exe AVPCC.exe AVPCC.exe AVPDOS32.exe AVPM.exe AVPM.exe AVPTC32.exe AVPUPD.exe AVSCHED32.exe AVWIN95.exe AVWUPD32.exe BLACKD.exe BLACKICE.exe CFIADMIN.exe CFIAUDIT.exe CFINET.exe CFINET32.exe CLAW95.exe CLAW95CF.exe CLEANER.exe CLEANER3.exe DVP95_0.exe ECENGINE.exe ESAFE.exe ESPWATCH.exe FINDVIRU.exe FPROT.exe IAMAPP.exe IAMSERV.exe IBMASN.exe IBMAVSP.exe ICLOAD95.exe ICLOADNT.exe ICMON.exe ICSUPP95.exe ICSUPPNT.exe IFACE.exe IOMON98.exe JEDI.exe LOCKDOWN2000.exe LOOKOUT.exe LUALL.exe MOOLIVE.exe MPFTRAY.exe N32SCANW.exe NAVAPW32.exe NAVLU32.exe NAVNT.exe NAVW32.exe NAVWNT.exe NISUM.exe NMAIN.exe NORMIST.exe NUPGRADE.exe NVC95.exe OUTPOST.exe PADMIN.exe PAVCL.exe PAVSCHED.exe PAVW.exe PCCWIN98.exe PCFWALLICON.exe PERSFW.exe F-PROT.exe F-PROT95.exe RAV7.exe RAV7WIN.exe RESCUE.exe SAFEWEB.exe SCAN32.exe SCAN95.exe SCANPM.exe SCRSCAN.exe SERV95.exe SPHINX.exe F-STOPW.exe SWEEP95.exe TBSCAN.exe TDS2-98.exe TDS2-NT.exe VET95.exe VETTRAY.exe VSCAN40.exe VSECOMR.exe VSHWIN32.exe VSSTAT.exe WEBSCANX.exe WFINDV32.exe ZONEALARM.exe TROJAN: Port 36974 open Existence of the following files (* represents any character): %WinDir%\System\****.EXE (50,688 or 50,684 bytes) %WinDir%\******.DAT %WinDir%\******.DAT %WinDir%\System\******.DLL %WinDir%\System\*******.DLL %WinDir%\System\*******.DLL This worm emails itself to addresses found on the local system. The worm copies itself to the Windows system folder as a file with a random four-letter name and an EXE extension and adds to the following registry entry to run this file on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce When run on the victim machine it copies itself to %WinDir%\System as ****.EXE (where * represents random character). For example in testing: Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE 2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE The following Registry key is set in order to hook next system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion RunOnce "%random letters%" = %random filename%.EXE (Win9x) The worm copies itself to the Startup folder on the victim machine as ***.EXE (where * represents random character), for example: Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE 2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE Trojan component The worm opens a port on the victim machine - port 36794 and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products. This remote access server allows an attacker to upload, and download files, run executes, and terminate processes. It drops a DLL on the victim machine - keylogger related. This DLL is detected as PWS-Hooker.dll. Network share propagation The worm attempts to copy itself to the Startup folder of remote machines on the network (as ***.EXE - described above). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). FIRST AID KIT: AS EMERGENCY MEASURE - Remove, Disable or encrypt all local email addresses (addressbook etc) TO PREVENT FROM SPREADING (BEFORE YOU ARE INFECTED) INCOMING EMAILS: Filter on attachment length 50,688 bytes (UPXed) or 50,664 bytes Filter out attachments, especially .pif, .scr (By the way, you should filter out all attachments anyway) Nail down your Network shares - it replicates itself through them. Make sure all USER PC's have IE updated with latest security patches It takes advantage of a known vulnerability in Microsoft's Internet Explorer versions 5.01 and 5.5 that allows attackers to embed malicious code in the header of an improperly formatted HTML message that could cause e-mail clients such as Outlook to automatically launch attached executable files. Microsoft addressed the issue in Service Bulletin MS01-020 and issued a patch for the vulnerability in March of 2001. Trojan: Port 36974 open - CHECK ON THIS PORT!!!! Existence of the following files (* represents any character): %WinDir%\System\****.EXE (50,688 or 50,684 bytes) %WinDir%\******.DAT %WinDir%\******.DAT %WinDir%\System\******.DLL %WinDir%\System\*******.DLL %WinDir%\System\*******.DLL FURTHER INFORMATION ON PWS-HOOKER: Type: Zoo Trojan Horse Infection Length: variable Systems Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Trojans in this family can record your keystrokes and store this information in encrypted form. The Trojan sends this encrypted file and the IP address of the compromised computer to email addresses that are defined by the hacker. The following is a description of a specific PWS.Hooker.Trojan variant that can be dropped by the W32.Badtrans.gen(a)mm worm. When the Trojan runs, it does the following: It copies itself as C:\%System%\Kern32.exe. NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location. It also drops C:\%System%\Hksdll.dll. This file is a component of, and is detected as W32.Badtrans.gen(a)mm. The Trojan adds the value kernel32 C:\%System%\kern32.exe to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce This causes the Trojan to run then next time that you start Windows. Arjen de Landgraaf www.e-secure-db.us www.e-secure-it.us -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Tuesday, October 01, 2002 3:14 PM To: nznog(a)list.waikato.ac.nz Subject: Virus alert For those that havn't noticed yet, a new virus has just come out which is spreading extremely rapidly. Depending on what antivirus software you use its called "W32.Bugbear(a)mm" (Norton Antivirus) or "I-Worm.Tanatos" (Kaspersky) - it may go under different names on other scanners. Both Norton and Kaspersky have only added detection of it in the last 12 hours AFAIK, and it looks like it has been in the wild in NZ at least 24 hours before updates to most scanners were able to detect it. (On topic bit :) The thing that's interesting about this particular virus is that it actively scans netblocks for machines listening on port 137 (Windows file/printer sharing) using simple incremental scans, so its quite easy to spot machines that are infected. Apparently it also sends information about the compromised machine to a pre-defined email address, and also opens a backdoor listening on TCP port 36794. As well as that, it uses the I-Frame exploit to automatically infect machines with unpatched versions of Outlook Express, and has the ability to automatically close all commonly used virus scanners whenever you try to run them. Based on the massive flood of this virus we've seen today it looks like a Klez killer has arrived..... (its outnumbering Klez by about 16 to 1 in our stats today) More info: http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear(a)mm.htm... Regards, Simon Byrnand iGRIN Internet - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog