Selected viruses, spyware, and other threats: sorted alphabetically
NOD32 version 1.429 and above is able to clean this infiltration
Win32/Bugbear.B is a worm spreading under Windows operating systems with a backdoor component. It resemples its older variant - Bugbear.A. The worm spreads in the e-mail attachments and via local network open shares. The worm body is encrypted via a polymorphic encryptor. In addition, it is also packed by the UPX runtime packer. The worm is 72192 bytes in length and it uses a old double-extension trick: Windows operating system displays the first extension of a double-extension files, while the second one is kept hidden.
Note: In what follows, the Windows installation directory (which may differ on different computers) is refered to via the following symbolic string: %windir%.
After the infected attachment has been executed, a directory with randomly generated name is created in %windir%\System directory. The newly created directory plays a role of the so called "keylogger", a dynamic library stroring the information on all the keyboard keys pressed by a user on infected computer. The worm creates a copy of itself, using a random name (such as sqxp.exe) into the "Start Menu\Programs\Startup" directory.
In the next step, the worm deactivates programs (proceses) running in the memory of the infected computer. The huge list of the processes to be disabled consists of various resident antivirus programs, firewalls, and other security utilities. The following list has been retrieved from the worm body:
To find the new addressees/recipients of the infected e-mails, the worm searches through files with the following extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB and .DBX. A tricky feature of this worm allows it to append to existing e-mails and/or send itself by means of resending e-mails that had been sent in the past. What is especially tricky is its ability to pretend being sent as a reply to the e-mail found. Finally, the worm can also create a brand new e-mail with a Subject selected from this list:
Get 8 FREE issues - no risk!
Your News Alert
$24150 FREE Bonus!
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
CALL FOR INFORMATION!
25 merchants and rising
My eBay ads
Market Update Report
click on this!
Lost & Found
Get a FREE gift!
I need help about script!!!
Correction of errors
Just a reminder
The worm has a built-in 'blacklist' of the addresses it would not send itself to:
A 'standard amunition' of this worm is to masquerade the sender address. The sender can be selected from the list of addresses found on the infected computer.
The worm body is either empty, or it contains a text retrieved from a file found on the infected coomputer. The infected attachment has two extensions the first one selected from the following list:
while the second one is one of the following executable extensions:
The worm can also infect .EXE files from the following list:
Windows Media Player\mplayer2.exe
NOD32 Antivirus System, V1.428 (20030605) detects all Win32/Bugbear.B versions. NOD32 V2, using its advanced heuristics did not need any update to detect the worm.
To clean infected computer, the following steps need to be carried out:
- Click the Control Center icon located on the system taskbar
- Restart computer to the Safe mode
- Click "Update now" button (to make sure the latest version of NOD32 database is installed)
- Go to Start > Programs > Eset > NOD32
- In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
- Click the "Clean" button
- When an infected file is found and an action is offered, click "Clean"
- Restart the system
Under Windows ME or XP operating systems it can happen that the infected files are restoring themselves. This problem can occur with various viruses and it is described here.