Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bugbear.A

Aliases: I-Worm.Tanatos

Win32/Bugbear is a worm that activates itself in the Windows operating system environment. It spreads as a file attached in the electronic mail. His body is encoded by the PE LOCK utility. The size of the file is 50688 bytes. It uses a trick with the two extensions in the name of the file. This trick uses the fact that the Windows operating system shows the first extension, but the second - the real one is not shown. The worm has also the backdoor component and ability to spread in the local network.

Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.

After the file execution in the e-mail attachment the worm copies itself to the directory %windir%/System under a random name (e.g. hatc.exe) and also to the directory %windir%\Start Menu\Programs\Start Up\, under the random name too. (e.g. ias.exe). In the directory %windir%/System it creates the files with random names and extensions .dll - (e.g. daxmmjm.dll, favuupu.dll and gauyys.dll). In the system registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ it creates the entry "lap" with the value pointing to the file created in the directory %windir%/System.

The worm deactivates the processes having the name identical with the names listed in the virus body. These names correspond to the various resident anti-virus programs, firewalls and security utilities. This list is quite large:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE

PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE

AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

To spread itself, it searches for the e-mail addresses in the files with the extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB a .DBX. The message that it sends may have one of the following subjects:

Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re: Your News
Alert
Hi!
Get 8 FREE issues - no risk!
Greets!

The copy of the worm is attached to this message and it has always two extensions. One of them is the following:

reg
ini
bat
h

diz
txt
cpp
c

html
htm
jpeg
jpg
gif
cpl
bmp

The second one may be the SCR, PIF or EXE. According to the method that the worm uses for creating the message in that it is spread it is possible that the security information are sent out.

The worm exploits a bug, found in various versions of the MS Internet Explorer and MS Outlook and Outlook Express. In particular, it takes advantage of the Microsoft IE MIME Header Attachment Execution Vulnerability, enabling the execution of a program on a target computer at the time of e-mail pre/view. The description of the bug can be found at: www.microsoft.com/technet/security/bulletin/MS01-020.asp, and the corresponding fix at: www.microsoft.com/windows/ie/download/critical/Q290108/default.asp. This fix is needed if the Internet Explorer version 5.01 or 5.5 is used.

The backdoor component of the worm enables the remote access to the infected computer. It installs also the trojan to the system - in one of the files created in the directory %windir%/System. This component of the worm has a size of 5632 bytes.

NOD32 (ver. 1.308 and higher) detects/cleans this worm.

To clean infected computer, the following steps need to be carried out:

  • Click the Control Center icon located on the system taskbar
  • Click "Update now" button (to make sure the latest version of NOD32 database is installed)
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When an infected file is found and an action is offered, click "Delete"
  • Restart system