Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bugbear is a worm that activates itself in the Windows operating system environment. It spreads as a file attached in the electronic mail. His body is encoded by the PE LOCK utility. The size of the file is 50688 bytes. It uses a trick with the two extensions in the name of the file. This trick uses the fact that the Windows operating system shows the first extension, but the second - the real one is not shown. The worm has also the backdoor component and ability to spread in the local network.
Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.
After the file execution in the e-mail attachment the worm copies itself to the directory %windir%/System under a random name (e.g. hatc.exe) and also to the directory %windir%\Start Menu\Programs\Start Up\, under the random name too. (e.g. ias.exe). In the directory %windir%/System it creates the files with random names and extensions .dll - (e.g. daxmmjm.dll, favuupu.dll and gauyys.dll). In the system registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ it creates the entry "lap" with the value pointing to the file created in the directory %windir%/System.
The worm deactivates the processes having the name identical with the names listed in the virus body. These names correspond to the various resident anti-virus programs, firewalls and security utilities. This list is quite large:
To spread itself, it searches for the e-mail addresses in the files with the extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB a .DBX. The message that it sends may have one of the following subjects:
Just a reminder
Correction of errors
I need help about script!!!
Get a FREE gift!
Today Only New Contests
Lost & Found
click on this!
Market Update Report
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Re: Your News
Get 8 FREE issues - no risk!
The copy of the worm is attached to this message and it has always two extensions. One of them is the following:
The second one may be the SCR, PIF or EXE. According to the method that the worm uses for creating the message in that it is spread it is possible that the security information are sent out.
The worm exploits a bug, found in various versions of the MS Internet Explorer and MS Outlook and Outlook Express. In particular, it takes advantage of the Microsoft IE MIME Header Attachment Execution Vulnerability, enabling the execution of a program on a target computer at the time of e-mail pre/view. The description of the bug can be found at: www.microsoft.com/technet/security/bulletin/MS01-020.asp, and the corresponding fix at: www.microsoft.com/windows/ie/download/critical/Q290108/default.asp. This fix is needed if the Internet Explorer version 5.01 or 5.5 is used.
The backdoor component of the worm enables the remote access to the infected computer. It installs also the trojan to the system - in one of the files created in the directory %windir%/System. This component of the worm has a size of 5632 bytes.
NOD32 (ver. 1.308 and higher) detects/cleans this worm.
To clean infected computer, the following steps need to be carried out:
- Click the Control Center icon located on the system taskbar
- Click "Update now" button (to make sure the latest version of NOD32 database is installed)
- Go to Start > Programs > Eset > NOD32
- In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
- Click the "Clean" button
- When an infected file is found and an action is offered, click "Delete"
- Restart system
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.