Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bugbear.B

Tanatos.B

Preliminary description

NOD32 version 1.429 and above is able to clean this infiltration

Win32/Bugbear.B is a worm spreading under Windows operating systems with a backdoor component. It resemples its older variant - Bugbear.A. The worm spreads in the e-mail attachments and via local network open shares. The worm body is encrypted via a polymorphic encryptor. In addition, it is also packed by the UPX runtime packer. The worm is 72192 bytes in length and it uses a old double-extension trick: Windows operating system displays the first extension of a double-extension files, while the second one is kept hidden.

Note: In what follows, the Windows installation directory (which may differ on different computers) is refered to via the following symbolic string: %windir%.

After the infected attachment has been executed, a directory with randomly generated name is created in %windir%\System directory. The newly created directory plays a role of the so called "keylogger", a dynamic library stroring the information on all the keyboard keys pressed by a user on infected computer. The worm creates a copy of itself, using a random name (such as sqxp.exe) into the "Start Menu\Programs\Startup" directory.

In the next step, the worm deactivates programs (proceses) running in the memory of the infected computer. The huge list of the processes to be disabled consists of various resident antivirus programs, firewalls, and other security utilities. The following list has been retrieved from the worm body:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE

PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE

AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

To find the new addressees/recipients of the infected e-mails, the worm searches through files with the following extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB and .DBX. A tricky feature of this worm allows it to append to existing e-mails and/or send itself by means of resending e-mails that had been sent in the past. What is especially tricky is its ability to pretend being sent as a reply to the e-mail found. Finally, the worm can also create a brand new e-mail with a Subject selected from this list:

Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$24150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!

The worm has a built-in 'blacklist' of the addresses it would not send itself to:

remove
spam
undisclosed
recipients
noreply
lyris
virus
trojan
mailer-daemon
postmaster@
root@
nobody@
localhost
localdomain
list
talk
ticket
majordom

A 'standard amunition' of this worm is to masquerade the sender address. The sender can be selected from the list of addresses found on the infected computer.

The worm body is either empty, or it contains a text retrieved from a file found on the infected coomputer. The infected attachment has two extensions the first one selected from the following list:

reg
ini
bat
h

diz
txt
cpp
c

html
htm
jpeg
jpg
gif
cpl
bmp

while the second one is one of the following executable extensions:

pif
scr
exe

The worm can also infect .EXE files from the following list:

winzip\winzip32.exe
kazaa\kazaa.exe
ICQ\Icq.exe
DAP\DAP.exe
Winamp\winamp.exe
AIM95\aim.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
Trillian\Trillian.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
StreamCast\Morpheus\Morpheus.exe
QuickTime\QuickTimePlayer.exe
WS_FTP\WS_FTP95.exe
MSN Messenger\msnmsgr.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
CuteFTP\cutftp32.exe
Far\Far.exe
Outlook Express\msimn.exe
Real\RealPlayer\realplay.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
adobe\acrobat 5.0\reader\acrord32.exe
Internet Explorer\iexplore.exe
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe

NOD32 Antivirus System, V1.428 (20030605) detects all Win32/Bugbear.B versions. NOD32 V2, using its advanced heuristics did not need any update to detect the worm.

To clean infected computer, the following steps need to be carried out:

  • Click the Control Center icon located on the system taskbar
  • Restart computer to the Safe mode
  • Click "Update now" button (to make sure the latest version of NOD32 database is installed)
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When an infected file is found and an action is offered, click "Clean"
  • Restart the system

NOTE:
Under Windows ME or XP operating systems it can happen that the infected files are restoring themselves. This problem can occur with various viruses and it is described here.