| Name | Win32.Bugbear.b |
| Threat Level |  |
| Alias | Win32.Bugbear.b,W32.Bugbear.B@mm, W32/Bugbear.b@MM |
| Date | 05 June, 2003 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Modify files,Send Email,Theft of information |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Bugbear.b is a mass mailing, polymorphic worm which is capable of terminating security related applications and logging key strokes on the infected machine. The worm can also spread via network shares and by infecting executable files.
On some occasions, the worm received may be damaged. This is possibly due to malfunctions in the data transferred between infected computers or an error in the worm's code. This may cause the worm to behave unexpectedly and more often than not, fail to do some or all of its intended damage. To complete the protection provided to our customers, and in spite of it's reduced potential, eSafe will detect damaged versions of this worm as Win32.Bugbear.b.dam.
The arriving email will have the following characteristics:
Sender: The sender of this message may be spoofed (forged) by the worm.
Subject: The subject of an infected message may appear to be sent as a reply to previous correspondence or may be one of the following:
$150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help...
Re:
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert
Attached File: The message's attachment may include a randomly selected file originating from the infected computer. The attachment's extension may be spoofed. The following are the actual extensions the infected attachment will have:
.scr
.pif
.exe
Notes: On unprotected systems, the worm may use an exploit in Microsoft Internet Explorer products, and may be executed automatically when the message is opened, without the user's consent. eSafe offers full protection against this exploit using it's XploitStopperT technology.
Malicious activity
When the worm is executed it does the following:
1. It attempts to terminate the following security related processes if found on the infected machine:
_avp32.exe
_avpcc.exe
_avpm.exe
ackwin32.exe
anti-trojan.exe
apvxdwin.exe
autodown.exe
avconsol.exe
ave32.exe
avgctrl.exe
avkserv.exe
avnt.exe
avp.exe
avp32.exe
avpcc.exe
avpdos32.exe
avpm.exe
avptc32.exe
avpupd.exe
avsched32.exe
avwin95.exe
avwupd32.exe
blackd.exe
blackice.exe
cfiadmin.exe
cfiaudit.exe
cfinet.exe
cfinet32.exe
claw95.exe
claw95cf.exe
cleaner.exe
cleaner3.exe
dvp95.exe
dvp95_0.exe
ecengine.exe
esafe.exe
espwatch.exe
f-agnt95.exe
findviru.exe
fprot.exe
f-prot.exe
f-prot95.exe
fp-win.exe
frw.exe
f-stopw.exe
iamapp.exe
iamserv.exe
ibmasn.exe
ibmavsp.exe
icload95.exe
icloadnt.exe
icmon.exe
icsupp95.exe
icsuppnt.exe
iface.exe
iomon98.exe
jedi.exe
lockdown2000.exe
lookout.exe
luall.exe
moolive.exe
mpftray.exe
n32scanw.exe
navapw32.exe
navlu32.exe
navnt.exe
navw32.exe
navwnt.exe
nisum.exe
nmain.exe
normist.exe
nupgrade.exe
nvc95.exe
padmin.eoutpost.exe
pavcl.exe
pavsched.exe
pavw.exe
pccwin98.exe
pcfwallicon.exe
persfw.exe
rav7.exe
rav7win.exe
rescue.exe
safeweb.exe
scan32.exe
scan95.exe
scanpm.exe
scrscan.exe
serv95.exe
smc.exe
sphinx.exe
sweep95.exe
tbscan.exe
tca.exe
tds2-98.exe
tds2-nt.exe
vet95.exe
vettray.exe
vscan40.exe
vsecomr.exe
vshwin32.exe
vsstat.exe
webscanx.exe
wfindv32.exe
zonealarm.exe
2. The worm harvests the infected computer for email addresses and uses its own SMTP engine to send itself, usually using a spoofed From field.
3. The worm also infects executable files so that each time one is opened, the worm will be opened along with it.
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
Update date: 5 June 2003
Update version: EV111-SV202
eSafe Enterprise and Desktop Users
An update is available from here.
eSafe Gateway 3.x and eSafe Mail
You can use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
