Bugbear e-mail worm spreading at an alarming rate

[LaZorMan]

F-Secure raising alert to highest level as Bugbear becoming the most widespread virus currently in circulation

Helsinki, Finland, October 2, 2002 - The Bugbear e-mail worm (also known as
Tanatos) was first seen on Monday, September 30. Since then it has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Klez was the most common virus for almost all of 2002.

Bugbear is a Windows mass mailer, spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers.

The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor, allowing the hacker to steal and delete information from affected computers.

VIRUS OPERATION

The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. "Forwarding old e-mails is actually a social engineering trick," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment just to figure out what the strange e-mail is all about - thereby becoming infected."

Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem.

The worm spreads effectively within corporate LANs once one machine gets infected via e-mail. The worm will enumerate all network shares and try to copy itself to them. On Windows machines with hard drives shared for several users, the worm attempts to copy itself to the Startup folder, activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code of the worm - resulting in dozens or hundreds of pages of garbage.

The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most of the popular antivirus and personal firewall products - including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect the current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes in the first place - and up-to-date anti-virus programs will prevent it from executing. "As this worm is already widespread, there must now be thousands and thousands of computers in the Internet without any antivirus or firewall protection, because Bugbear has removed them," comments Hypponen.

The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser. The worm will show a web user interface through which the attacker can browse local files or execute programs. "We haven't seen such an advanced backdoor in a worm before," says Mikko Hypponen. "Fortunately, it is not easy for script kiddies to enable this functionality."

"It was such a nice and quiet year virus-wise - up until the middle of September," continues Hypponen. "After that we have had many large outbreaks, including the Slapper and Devnull Linux worms, and the Opaserv and Bugbear Windows worms."

The year 2001 is generally considered to have been the worst virus year ever. "During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, I am afraid Bugbear will still be widespread in 2003," finishes Mikko Hypponen from F-Secure Corporation.

A detailed technical description of the worm as well as screenshots are available in the Global Bugbear Information Center at _http://www.F-Secure.com/bugbear/ .

F-Secure Anti-Virus 5.40 can detect, stop and disinfect the Bugbear worm, even if the system is already infected with the worm. F-Secure Anti-Virus can be downloaded from
_http://www.f-secure.com

LaZorMan

[LaZorMan]

Here is some more information about the worm.

After execution of the infected attachment, the worm copies itself to the WINDOWS\SYSTEM directory under a four-character random name, then copies itself to the Windows STARTUP directory under a three-character random name. Then it tries to copy itself to remote machines with open shared drives over the LAN under a three-character random name. It also opens the port 36794 and listens for the commands from outside. The worm then drops the trojan - keylogger into the following files: C:\WINDOWS\SYSTEM\ICCYOA.DLL, C:\WINDOWS\SYSTEM\LGGUQAA.DLL, C:\WINDOWS\SYSTEM\ROOMUAA.DLL, C:\WINDOWS\OKKQSA.DAT and C:\WINDOWS\USSOWA.DAT. When it tries to spread over the LAN, it can also affect the network printers - these cannot be infected by the worm can print a lot of garbage on them.

The following registry key is created:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once\"tie" = "****.EXE"

The worm also tries to disable some antivirus and firewall programs:
_AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ANTI-TROJAN.EXE, APVXDWIN.EXE, AUTODOWN.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCTRL.EXE, AVKSERV.EXE, AVNT.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE, AVPUPD.EXE, AVSCHED32.EXE, AVWIN95.EXE, AVWUPD32.EXE, BLACKD.EXE, BLACKICE.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLAW95.EXE, CLAW95CF.EXE, CLEANER.EXE, CLEANER3.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE, ESAFE.EXE, ESPWATCH.EXE, F-AGNT95.EXE, F-PROT.EXE, F-PROT95.EXE, F-STOPW.EXE, FINDVIRU.EXE, FP-WIN.EXE, FPROT.EXE, FRW.EXE, IAMAPP.EXE, IAMSERV.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFACE.EXE, IOMON98.EXE, JEDI.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LUALL.EXE, MOOLIVE.EXE, MPFTRAY.EXE, N32SCANW.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVW32.EXE, NAVWNT.EXE, NISUM.EXE, NMAIN.EXE, NORMIST.EXE, NUPGRADE.EXE, NVC95.EXE, OUTPOST.EXE, PADMIN.EXE, PAVCL.EXE, PAVSCHED.EXE, PAVW.EXE, PCCWIN98.EXE, PCFWALLICON.EXE, PERSFW.EXE, RAV7.EXE, RAV7WIN.EXE, RESCUE.EXE, SAFEWEB.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SERV95.EXE, SMC.EXE, SPHINX.EXE, SWEEP95.EXE, TBSCAN.EXE, TCA.EXE, TDS2-98.EXE, TDS2-NT.EXE, VET95.EXE, VETTRAY.EXE, VSCAN40.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSSTAT.EXE, WEBSCANX.EXE, WFINDV32.EXE and ZONEALARM.EXE.

The worm then searches the email addresses in current inbox and in the files on a the local disk with the following extensions: MMF, NCH, MBX, EML, TBB and DBX. It uses its own SMTP routine to sned the mails via the SMTP server found in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts

It falses the FROM filed in similar way as Win32:Klez-H, so there is no obvious way how to find the real sender with the infected computer.

Removal:
Delete all files infected by Win32:BugBear. If the worm is active, the files can be blocked however. You need to deactivate the virus first - either via Task Manager or by removing its registry key and rebooting the computer.

LaZorMan

[LTR12101B]

Is this also responsible for an above average number of UDP 137 (Netbios) portscans - or is something else resulting in broad-spectrum, low level attacks - I'm sure glad my firewall is up!

[malbolgia]

thx for the info Lazorman

[LTR12101B]

Discovered NETWORK.VBS is the beastie behind the abnormal rate of UDP 137 scans.

It's also a source of targets if you want to scan for shares, since it's a sure sign of lax security.

I tightened my defences, now I can't SEE the UDP137 traffic at all - it's dumped even before it hits the firewall.

[lore]

Fixing tool..

[gettygas]

Lazorman nice thank you

lore thank you to

[xoltana]

Hi,

apparently this new virus is doing the rounds,here is a checker
and remover for all worried parties,enjoy and glad to share
something atlast.


Xoltana.

Tnx For your post BUT please use the Search Button before posting >>> U would have found this Thread >>> I have merged yours with it >>> joripe

[malbolgia]

looks like this one bit me

had to reinstall xp

[Seraphim]

Sorry to hear that