Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Bugbear.K


Discovered:
Aliases:


April 12, 2006
Backdoor:W32/Bugbear.K
Email-Worm.Win32.Tanatos.k
Email-Worm:W32/Bugbear.K

Malware
BackdoorNet-Worm
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:


Note

After disinfection it is recommended to change all log-in credentials, as they could have been compromised by the password stealer component of the worm. It is also recommended to check infected systems and networks for possible hacker intrusion that could have been performed through the backdoor component of the worm.

More details about the removing procedure you can find in our support center: http://www.f-secure.com/support/technical/av5/support-issue-2002100200.htm



Technical Details

Backdoor:W32/Bugbear.K (also known as Tanatos) is an e-mail and network worm that also has a backdoor component. This particular variant is very similar to the original Tanatos worm that was found in 2002.


Propagation

This Tanatos worm variant spreads in e-mail messages with the following characteristics:

Subjects:

  • !!! WARNING !!!
  • ;)
  • [Fwd: look] ;-)
  • Announcement
  • bad news
  • empty account
  • fantastic
  • Friendly
  • Fwd:
  • good news!
  • Greetings!
  • Greets!
  • Hello!
  • Hi!
  • history screen
  • hmm.."
  • I cannot forget you!
  • I love you!
  • I need photo!!!
  • Interesting...
  • Introduction
  • Is that your password?
  • Just a reminder
  • look
  • Lost & Found
  • Love
  • Me nude
  • New Contests
  • new reading
  • News
  • Old photos
  • Payment notices
  • photo
  • photos
  • Please Help...
  • Re:
  • Report
  • Sex pictures
  • sexy
  • Stats
  • Today Only
  • update
  • various
  • Warning!
  • wow!
  • You are fat!
  • Your Gift

Body text:

  • Pease open an attachment to see the message.
  • Please see Attachment
  • please,read the attach file.
  • see attachment
  • See the attached file
  • See the attached file for more info
  • Take a look to the attachment

Attachment names:

  • a000032.jpg [lots of spaces] .scr
  • girls.jpg [lots of spaces] .scr
  • image.jpg [lots of spaces] .scr
  • love.jpg [lots of spaces] .scr
  • message.txt [lots of spaces] .scr
  • music.mp3 [lots of spaces] .scr
  • myphoto.jpg [lots of spaces] .scr
  • news.doc [lots of spaces] .scr
  • photo.jpg [lots of spaces] .scr
  • pic.jpg [lots of spaces] .scr
  • readme.txt [lots of spaces] .scr
  • song.wav [lots of spaces] .scr
  • video.avi [lots of spaces] .scr
  • you.jpg [lots of spaces] .scr






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free