F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bugbear.L

[Summary] | [Detailed Description] | [Detection]



NAME:Bugbear.L
ALIAS:I-Worm.Tanatos.k, W32/Bugbear.L@mm, W32/Bugbear.L

Summary

The Bugbear.L (also known as Tanatos.k) worm appeared on September 1st, 2004. The worm spreads itself as an attachment in e-mail messages.

The worm has a backdoor and terminates security software. The backdoor can be instructed to drop a TCP proxy application.

Detailed Description

The worm's body is a Windows PE executable file compressed with the UPX executable compressor. The unpacked body is around 128 KiB and was written in Microsoft Visual C++.

System Infection

When the worm's file is run, it copies itself to Windows System Folder a random name and creates a startup key for this file in the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<randomname>" = "%SystemDir%\<randomname>.exe"

Bugbear.L keeps the collected email addresses and other data in scrambled files with random names in the System Folder.

%SystemDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

Email Propagation

To gather email addresses Bugbear.L searches through files that have the following strings in their name: 

 .SHT
 .TXT
 .ASP
 .HTM
 .ODS
 INBOX
 .MMF
 .NCH
 .MBX
 .EML
 .TBB
 .DBX

Using its own SMTP engine Bugbear.L sends emails to the collected addresses. Sender of the mails is spoofed and the content is randomly chosen from the following components:

Email subjects: 

 Greets!
 !!! WARNING !!!
 Hi!
 sexy
 good news!
 Re:
 Your Gift
 Sex pictures
 I cannot forget you!
 Fwd:
 News
 You are fat!
 Love
 Warning!
 photo
 Friendly
 new reading
 ;)
 I love you!
 Is that your password?
 photos
 empty account
 Old photos
 Me nude
 fantastic
 wow!
 bad news
 Lost n Found
 New Contests
 Today Only
 [Fwd: look] ;-)
 Greetings!
 Report
 Please Help...
 Stats
 I need photo!!!
 Interesting...
 Introduction
 various
 Announcement
 history screen
 look
 Just a reminder
 Payment notices
 hmm..
 update
 Hello!

Email bodies: 

 Take a look to the attachment
 See the attached file for more info
 Please see Attachment
 Pease open an attachment to see the message.
 see attachment
 See the attached file
 please,read the attach file.

Attachment file names which come in ZIP files: 

 readme.txt[lots-of-spaces].scr
 love.jpg[lots-of-spaces].scr
 you.jpg[lots-of-spaces].scr
 myphoto.jpg[lots-of-spaces].scr
 news.doc[lots-of-spaces].scr
 image.jpg[lots-of-spaces].scr
 message.txt[lots-of-spaces].scr
 pic.jpg[lots-of-spaces].scr
 girls.jpg[lots-of-spaces].scr
 photo.jpg[lots-of-spaces].scr
 video.avi[lots-of-spaces].scr
 music.mp3[lots-of-spaces].scr
 song.wav[lots-of-spaces].scr
 a000032.jpg[lots-of-spaces].scr
 aol.com
 bellsouth.net
 bigpond.com
 bluewin.ch
 btinternet.com
 btopenworld.com
 earthlink.net
 freesurf.ch
 usa.com
 microsoft.com
 hotmail.com
 ntlworld.com
 excite.com
 worldnet.att.net
 msn.com
 yahoo.com

The worm avoids spreading to e-mail addresses that contain any of the following: 

 remove
 spam
 undisclosed
 recipients
 noreply
 lyris
 virus
 trojan
 mailer-daemon
 postmaster@
 root@
 nobody@
 localhost
 localdomain
 list
 talk
 ticket
 majordom

Backdoor

Bugbear.L starts a thread that listens on port 1080 where the remote attacker can connect and control the compromised computer. The backdoor component is very similar to the one found in Bugbear.B. For more information see the Bugbear.B description:

http://www.f-secure.com/v-descs/bugbear_b.shtml

Through the backdoor the worm can be instructed to drop a TCP proxy program that allows the attacker to initiate connections through the compromised computer. This component listens on port 5010/TCP.

The proxy is copied to the Windows System Folder as kernel32s.exe and added to the registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Kernel32" = "%SystemDir%\kernel32s.exe"

Termination of Security Software

Bugbear.L periodically enumerates all running processes and terminates all that are on this list: 

 _AVP32.EXE
 _AVPCC.EXE
 _AVPM.EXE
 ACKWIN32.EXE
 ANTI-TROJAN.EXE
 APVXDWIN.EXE
 AUTODOWN.EXE
 AVCONSOL.EXE
 AVE32.EXE
 AVGCTRL.EXE
 AVKSERV.EXE
 AVNT.EXE
 AVP.EXE
 AVP32.EXE
 AVPCC.EXE
 AVPDOS32.EXE
 AVPM.EXE
 AVPTC32.EXE
 AVPUPD.EXE
 AVSCHED32.EXE
 AVWIN95.EXE
 AVWUPD32.EXE
 BLACKD.EXE
 BLACKICE.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLAW95.EXE
 CLAW95CF.EXE
 CLEANER.EXE
 CLEANER3.EXE
 DVP95.EXE
 DVP95_0.EXE
 ECENGINE.EXE
 ESAFE.EXE
 ESPWATCH.EXE
 F-AGNT95.EXE
 F-PROT.EXE
 F-PROT95.EXE
 F-STOPW.EXE
 FINDVIRU.EXE
 FP-WIN.EXE
 FPROT.EXE
 FRW.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 IBMASN.EXE
 IBMAVSP.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFACE.EXE
 IOMON98.EXE
 JEDI.EXE
 LOCKDOWN2000.EXE
 LOOKOUT.EXE
 LUALL.EXE
 MOOLIVE.EXE
 MPFTRAY.EXE
 N32SCANW.EXE
 NAVAPW32.EXE
 NAVLU32.EXE
 NAVNT.EXE
 NAVW32.EXE
 NAVWNT.EXE
 NISUM.EXE
 NMAIN.EXE
 NORMIST.EXE
 NUPGRADE.EXE
 NVC95.EXE
 OUTPOST.EXE
 PADMIN.EXE
 PAVCL.EXE
 PAVSCHED.EXE
 PAVW.EXE
 PCCWIN98.EXE
 PCFWALLICON.EXE
 PERSFW.EXE
 RAV7.EXE
 RAV7WIN.EXE
 RESCUE.EXE
 SAFEWEB.EXE
 SCAN32.EXE
 SCAN95.EXE
 SCANPM.EXE
 SCRSCAN.EXE
 SERV95.EXE
 SMC.EXE
 SPHINX.EXE
 SWEEP95.EXE
 TBSCAN.EXE
 TCA.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 VET95.EXE
 VETTRAY.EXE
 VSCAN40.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSSTAT.EXE
 WEBSCANX.EXE
 WFINDV32.EXE
 ZONEALARM.EXE


Back to the Top


Detection

Detection for Bugbear.L worm was published on September 1st, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-09-01_02

Back to the Top


Technical Details: Gergely Erdelyi, September 1st, 2004;

F-Secure Corporation