Virus Advisory: New Bugbear Worm

By SmallBusinessComputing Staff | Posted October 01, 2002
Wayne N. Kawamoto
Managing Editor, www.smallbusinesscomputing.com

AVERT (Anti-Virus Emergency Response Team), a division of Network Associates, assigned a medium risk assessment to the recently discovered W32/Bugbear@MM, also known as Bugbear. According to the organization, Bugbear is a destructive mass-mailing worm that spreads via network shares and by emailing itself to the user's local address book. It also contains a backdoor Trojan component that contains keylogging functionality. It was first reported to McAfee AVERT UK research Lab Monday morning, and has been found in numerous countries including the United States, England and India.

Symptoms
Bugbear is an Internet worm that once activated, emails itself to addresses found on the local system in the user's address book. When run on the victim's machine, Bugbear copies itself into the Window Directory System as a random executable file with the file extension .EXE). The Local Machine Registry key is set in order to hook next system startup. The worm then copies itself to the Startup folder on the victim's machine as ***.EXE, where "***" is a random file. Because Bugbear utilizes numerous subject headers, users should immediately delete email containing the following:

Subject:

  • Found
  • Daily Email Reminder
  • Just a reminder
  • Lost
  • Market Update Report
  • Membership Confirmation
  • Your News Alert

Body of email:
The message body and attachment name vary. It is common for the attachment name to contain a double-extension such as doc.pif. Outgoing messages make use of the incorrect MIME header in Microsoft Internet Explorer, which can cause IE to execute email attachments in version 5.01 or 5.5 without SP2.

Trojan component
Bugbear opens a port on the victim machine - port 36794 and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products. It drops a DLL on the victim machine - keylogger related. This DLL is detected as PWS-Hooker.dll.

Once Bugbear infects a computer system, it will attempt to terminate the process of the system's security programs.

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date