BugBear-B Virus
Win32:Bugbear-B is an Internet virus written in Microsoft C and packed with UPX. It is
polymorphic, it combines the UPX file compression with simple encryption.
The virus spreads via email and via network shares. It drops the trojan
horse with keylogging and backdoor capabilities. The virus arrives as a
randomly named attachment in email message with variable subjects and body.
The attachments can have the same filename as another file on the infected
computer. The attachments can have double extensions with the final
extension being EXE, SCR or PIF. It uses the well known IFrame exploit that
allows it to run automatically on vulnerable computers without patch.
After execution of the infected attachment, the worm copies itself to the
Windows STARTUP and SYSTEM directory under a random name. It then drops the
keylogger to the SYSTEM directory also under a random name. Then it tries to
copy itself to remote machines with open shared drives over the LAN. It
contains the fixed list of filenames which it tries to infect remotely.
Besides that, it tries to copy itself into the Startup folder. It also opens
the port 1080 and listens for the commands from outside.
The following registry key is created:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\"xxx" = "****.EXE"
The worm also contains very long list of antivirus and firewall programs it
tries to kill every 20 seconds.
The worm then searches the email addresses in current inbox and in the files
on a the local disk with the following extensions: ODS, MMF, NCH, MBX, EML,
TBB and DBX. It uses its own SMTP routine to send the mails via the SMTP
server found in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts
It falses the FROM and REPLYTO fields in similar way as Win32:Klez-H, so
there is no obvious way how to find the real sender with the infected
computer.
Previous TCS Virus Alerts:
Tulsa Computer Society
Don Singleton, President
don@donsingleton.com