F-Secure
Tools
Backdoor:W32/Bugbear.K
Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.Disinfection
To remove the Bugbear worm from a system, it's enough to delete all its files from a hard drive and to restart a computer.
If the worm is in a network environment, the network should be temporarily taken down and all systems have to be disinfected separately. Otherwise the worm will try to re-infect already cleaned systems.
Disinfection Tool
F-Secure provides the special tool to disinfect Bugbear worm. The tool and disinfection instructions are available on our ftp site:
Note
If the worm is in a network environment, the network should be temporarily taken down and all systems have to be disinfected separately. Otherwise the worm will try to re-infect already cleaned systems.
Disinfection Tool
F-Secure provides the special tool to disinfect Bugbear worm. The tool and disinfection instructions are available on our ftp site:
- ftp://ftp.f-secure.com/anti-virus/tools/f-bugbr.zip
Note
After disinfection it is recommended to change all log-in credentials, as they could have been compromised by the password stealer component of the worm. It is also recommended to check infected systems and networks for possible hacker intrusion that could have been performed through the backdoor component of the worm.
More details about the removing procedure you can find in our support center: http://www.f-secure.com/support/technical/av5/support-issue-2002100200.htm
Additional Details
Backdoor:W32/Bugbear.K is an e-mail and network worm that also has a backdoor component. This particular variant is very similar to the original Tanatos worm that was found in 2002.
Bugbear is also known as Tanatos.
Propagation
This Tanatos worm variant spreads in e-mail messages with the following characteristics:
Subjects:
Body text:
Attachment names:
Detection
F-Secure Anti-Virus detects Bugbear/Tanatos worm with the following update:
[FSAV_Database_Version]
Version=2006-01-24_03
Bugbear is also known as Tanatos.
Propagation
This Tanatos worm variant spreads in e-mail messages with the following characteristics:
Subjects:
- !!! WARNING !!!
- ;)
- [Fwd: look] ;-)
- Announcement
- bad news
- empty account
- fantastic
- Friendly
- Fwd:
- good news!
- Greetings!
- Greets!
- Hello!
- Hi!
- history screen
- hmm.."
- I cannot forget you!
- I love you!
- I need photo!!!
- Interesting...
- Introduction
- Is that your password?
- Just a reminder
- look
- Lost & Found
- Love
- Me nude
- New Contests
- new reading
- News
- Old photos
- Payment notices
- photo
- photos
- Please Help...
- Re:
- Report
- Sex pictures
- sexy
- Stats
- Today Only
- update
- various
- Warning!
- wow!
- You are fat!
- Your Gift
Body text:
- Pease open an attachment to see the message.
- Please see Attachment
- please,read the attach file.
- see attachment
- See the attached file
- See the attached file for more info
- Take a look to the attachment
Attachment names:
- a000032.jpg [lots of spaces] .scr
- girls.jpg [lots of spaces] .scr
- image.jpg [lots of spaces] .scr
- love.jpg [lots of spaces] .scr
- message.txt [lots of spaces] .scr
- music.mp3 [lots of spaces] .scr
- myphoto.jpg [lots of spaces] .scr
- news.doc [lots of spaces] .scr
- photo.jpg [lots of spaces] .scr
- pic.jpg [lots of spaces] .scr
- readme.txt [lots of spaces] .scr
- song.wav [lots of spaces] .scr
- video.avi [lots of spaces] .scr
- you.jpg [lots of spaces] .scr
Detection
F-Secure Anti-Virus detects Bugbear/Tanatos worm with the following update:
[FSAV_Database_Version]
Version=2006-01-24_03