|
Author |
Message |
| Common
Ground / Security Blanket
- Computer Questions / More info on Bug_Bear Worm (virus) |
Robin
Cast Member
Posts: 940
Registered: Aug 2002
|
Posted
10-02-02 02:36 PM
More info from www.antivirus.com:
Payload 1: Terminates antivirus processes
Trigger condition 1: Upon execution
Payload 2: Mass-mails copies of itself
Trigger condition 2: Upon execution
Platform: Windows
Details:
Upon execution, this worm drops a copy of itself in the Windows System directory using a randomly-generated filename.
To ensure its automatic execution every system startup, it copies itself in the Windows Startup folder to a random filename and adds this registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce
= .EXE
This malware propagates via email or shared folders. To propagate via email, it uses Simple Mail Transport Protocol (SMTP) commands and reads this registry key to obtain an SMTP server: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts
Then it sends out an email with no message body and with one of these possible subjects to all addresses found in the Windows Address Book (WAB):
$150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Confirmation of Recipes…
Correction of errors
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
hello!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
Payment notices
Please Help...
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
Your Gift
Your News Alert
It spoofs the FROM field of the email while the attachment may be one of the following:
Setup.exe
3 July 2002.doc.pif
Exploit
This worm exploits the Incorrect Multipurpose Internet Mail Extensions (MIME) header vulnerability. This allows attachments of HTML formatted email messages to automatically execute when a user reads or previews the email in Microsoft Outlook or Outlook Express.
This permits the worm to install itself on the target system without the target user double-clicking or opening the attachment. The Incorrect MIME header vulnerability is known to affect Microsoft Internet Explorer 5.01 and 5.5.
Note: More information on this exploit is available in the Microsoft article, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.
It spreads in the local network via shared folders. It has a thread that continually scans for shared network resources, which include shared folders. When it finds one, it attempts to copy itself to this path, which is common only on Windows 9x machines:
\\\Windows\Start Menu\Programs\Startup\%random filename%.exe.
Thus, this worm may fail to infect WinNT based machines.
It does not check the type of shared resource that it infects so that it also copies itself to other network resources such as, printers. When this happens, it causes an accumulation of print jobs in the network printer queue. The print jobs associated with this worm have a document size equal to the size of the worm.
Payload
This worm terminates the following processes, which are mostly antivirus applications, on target systems:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
It usually arrives as a UPX compressed file.
Trojan Capabilities
The worm drops 3 DLL and 2 DAT files in the Windows System and Windows folder respectively with random filenames. One of the 3 DLL files is a key logger program that hooks some events from keyboards. It intercepts keystrokes from the infected user and saves the keystrokes to the other DLL files in an encrypted form. The key logger component is also detected as WORM_BUGBEAR.A, while the other two DLLs are not malicious. The 2 DAT files are also non-malicious data files and in encrypted form.
This worm opens port 36794 on the target user’s machine. Once opened, the malicious remote user may connect to the said port thereby compromising network security.
Description created:
Sep. 30, 2002
I toss my cookies for Disney.
I wonder what inspired this new Disney T-shirt? "I'm right. You're wrong. Any Questions?"
|
|
Parker
Cast Member
Posts: 493
Registered: Sep 2002
|
Posted
10-10-02 01:05 PM
My Anti-virus caught this one this morning in an email to my ISP internet mail, which I rarely use. Luckily, I was able to delete the mail and files without it getting anywhere. I even went through and checked the files in my registry just to be safe.
The email was titled "50% off hotels" or something like that.
Speak your mind, but ride a fast horse.
|
|
Parker
Cast Member
Posts: 493
Registered: Sep 2002
|
Posted
10-11-02 02:22 PM
BTW, I received this virus attached to an email sent to my work account yesterday also
Speak your mind, but ride a fast horse.
|
|
|
Common
Ground / Security Blanket
- Computer Questions / More info on Bug_Bear Worm (virus) |
|
