Virus Advisory: New Bugbear Worm - Small Business Computing
Networking
SHARE
Facebook X Pinterest WhatsApp

Virus Advisory: New Bugbear Worm

Written By
Small Business Computing Staff
Small Business Computing Staff
Oct 1, 2002
2 minute read

Wayne N. Kawamoto
Managing Editor, www.smallbusinesscomputing.com

AVERT (Anti-Virus Emergency Response Team), a division of Network Associates, assigned a medium risk assessment to the recently discovered W32/Bugbear@MM, also known as Bugbear. According to the organization, Bugbear is a destructive mass-mailing worm that spreads via network shares and by emailing itself to the user’s local address book. It also contains a backdoor Trojan component that contains keylogging functionality. It was first reported to McAfee AVERT UK research Lab Monday morning, and has been found in numerous countries including the United States, England and India.

Symptoms
Bugbear is an Internet worm that once activated, emails itself to addresses found on the local system in the user’s address book. When run on the victim’s machine, Bugbear copies itself into the Window Directory System as a random executable file with the file extension .EXE). The Local Machine Registry key is set in order to hook next system startup. The worm then copies itself to the Startup folder on the victim’s machine as ***.EXE, where “***” is a random file. Because Bugbear utilizes numerous subject headers, users should immediately delete email containing the following:

Subject:

  • Found
  • Daily Email Reminder
  • Just a reminder
  • Lost
  • Market Update Report
  • Membership Confirmation
  • Your News Alert

Body of email:
The message body and attachment name vary. It is common for the attachment name to contain a double-extension such as doc.pif. Outgoing messages make use of the incorrect MIME header in Microsoft Internet Explorer, which can cause IE to execute email attachments in version 5.01 or 5.5 without SP2.

Trojan component
Bugbear opens a port on the victim machine – port 36794 and searches for various running processes, stopping them if found. The list of processes includes many popular AV and personal firewall products. It drops a DLL on the victim machine – keylogger related. This DLL is detected as PWS-Hooker.dll.

Once Bugbear infects a computer system, it will attempt to terminate the process of the system’s security programs.
Small Business Computing Staff

Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.

Small Business Computing Logo

Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales. To address the needs of these small businesses, Small Business Computing offers detailed coverage of cost-effective technology solutions, including lists of top vendors, product comparisons, and how-to guides that offer specific tools to help solve issues.

facebook
linkedin
rss
x

Company

About us Contact us Advertise with us

Categories

News Guides Hardware Software Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information