Threat Description

Backdoor:​W32/Bugbear.K

Details

Aliases: Backdoor:​W32/Bugbear.K, Email-Worm.Win32.Tanatos.k, Email-Worm:​W32/Bugbear.K
Category: Malware
Type: BackdoorNet-Worm
Platform: W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Note

After disinfection it is recommended to change all log-in credentials, as they could have been compromised by the password stealer component of the worm. It is also recommended to check infected systems and networks for possible hacker intrusion that could have been performed through the backdoor component of the worm.

More details about the removing procedure you can find in our support center: http://www.f-secure.com/support/technical/av5/support-issue-2002100200.htm



Technical Details



Backdoor:W32/Bugbear.K (also known as Tanatos) is an e-mail and network worm that also has a backdoor component. This particular variant is very similar to the original Tanatos worm that was found in 2002.

Propagation

This Tanatos worm variant spreads in e-mail messages with the following characteristics:

Subjects:

  • !!! WARNING !!!
  • ;)
  • [Fwd: look] ;-)
  • Announcement
  • bad news
  • empty account
  • fantastic
  • Friendly
  • Fwd:
  • good news!
  • Greetings!
  • Greets!
  • Hello!
  • Hi!
  • history screen
  • hmm.."
  • I cannot forget you!
  • I love you!
  • I need photo!!!
  • Interesting...
  • Introduction
  • Is that your password?
  • Just a reminder
  • look
  • Lost & Found
  • Love
  • Me nude
  • New Contests
  • new reading
  • News
  • Old photos
  • Payment notices
  • photo
  • photos
  • Please Help...
  • Re:
  • Report
  • Sex pictures
  • sexy
  • Stats
  • Today Only
  • update
  • various
  • Warning!
  • wow!
  • You are fat!
  • Your Gift

Body text:

  • Pease open an attachment to see the message.
  • Please see Attachment
  • please,read the attach file.
  • see attachment
  • See the attached file
  • See the attached file for more info
  • Take a look to the attachment

Attachment names:

  • a000032.jpg [lots of spaces] .scr
  • girls.jpg [lots of spaces] .scr
  • image.jpg [lots of spaces] .scr
  • love.jpg [lots of spaces] .scr
  • message.txt [lots of spaces] .scr
  • music.mp3 [lots of spaces] .scr
  • myphoto.jpg [lots of spaces] .scr
  • news.doc [lots of spaces] .scr
  • photo.jpg [lots of spaces] .scr
  • pic.jpg [lots of spaces] .scr
  • readme.txt [lots of spaces] .scr
  • song.wav [lots of spaces] .scr
  • video.avi [lots of spaces] .scr
  • you.jpg [lots of spaces] .scr





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More