Selected viruses, spyware, and other threats: sorted alphabetically
|
|
||||||||||||||||||||||||||||||||||
Win32/Bugbear.B |
Tanatos.B
Preliminary description
NOD32 version 1.429 and above is able to clean this infiltration
Win32/Bugbear.B is a worm spreading under Windows operating systems with a backdoor component. It resemples its older variant - Bugbear.A. The worm spreads in the e-mail attachments and via local network open shares. The worm body is encrypted via a polymorphic encryptor. In addition, it is also packed by the UPX runtime packer. The worm is 72192 bytes in length and it uses a old double-extension trick: Windows operating system displays the first extension of a double-extension files, while the second one is kept hidden.
Note: In what follows, the Windows installation directory (which may differ on different computers) is refered to via the following symbolic string: %windir%.
After the infected attachment has been executed, a directory with randomly generated name is created in %windir%\System directory. The newly created directory plays a role of the so called "keylogger", a dynamic library stroring the information on all the keyboard keys pressed by a user on infected computer. The worm creates a copy of itself, using a random name (such as sqxp.exe) into the "Start Menu\Programs\Startup" directory.
In the next step, the worm deactivates programs (proceses) running in the memory of the infected computer. The huge list of the processes to be disabled consists of various resident antivirus programs, firewalls, and other security utilities. The following list has been retrieved from the worm body:
ZONEALARM.EXE |
PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE |
ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE |
AVWUPD32.EXE |
To find the new addressees/recipients of the infected e-mails, the worm searches through files with the following extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB and .DBX. A tricky feature of this worm allows it to append to existing e-mails and/or send itself by means of resending e-mails that had been sent in the past. What is especially tricky is its ability to pretend being sent as a reply to the e-mail found. Finally, the worm can also create a brand new e-mail with a Subject selected from this list:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$24150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
The worm has a built-in 'blacklist' of the addresses it would not send itself to:
remove
spam
undisclosed
recipients
noreply
lyris
virus
trojan
mailer-daemon
postmaster@
root@
nobody@
localhost
localdomain
list
talk
ticket
majordom
A 'standard amunition' of this worm is to masquerade the sender address. The sender can be selected from the list of addresses found on the infected computer.
The worm body is either empty, or it contains a text retrieved from a file found on the infected coomputer. The infected attachment has two extensions the first one selected from the following list:
reg |
diz |
html htm jpeg jpg |
gif cpl bmp |
while the second one is one of the following executable extensions:
pif
scr
exe
The worm can also infect .EXE files from the following list:
winzip\winzip32.exe
kazaa\kazaa.exe
ICQ\Icq.exe
DAP\DAP.exe
Winamp\winamp.exe
AIM95\aim.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
Trillian\Trillian.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
StreamCast\Morpheus\Morpheus.exe
QuickTime\QuickTimePlayer.exe
WS_FTP\WS_FTP95.exe
MSN Messenger\msnmsgr.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
CuteFTP\cutftp32.exe
Far\Far.exe
Outlook Express\msimn.exe
Real\RealPlayer\realplay.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
adobe\acrobat 5.0\reader\acrord32.exe
Internet Explorer\iexplore.exe
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe
NOD32 Antivirus System, V1.428 (20030605) detects all Win32/Bugbear.B versions. NOD32 V2, using its advanced heuristics did not need any update to detect the worm.
To clean infected computer, the following steps need to be carried out:
- Click the Control Center icon located on the system taskbar
- Restart computer to the Safe mode
- Click "Update now" button (to make sure the latest version of NOD32 database is installed)
- Go to Start > Programs > Eset > NOD32
- In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
- Click the "Clean" button
- When an infected file is found and an action is offered, click "Clean"
- Restart the system
NOTE:
Under Windows ME or XP operating systems it can happen that the infected files are restoring themselves. This problem can occur with various viruses and it is described here.
Visit ESET on Facebook
Follow ESET on Twitter