F-Secure Virus Descriptions : Bugbear.E
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | Bugbear.E |
| ALIAS: | I-Worm.Tanatos.e, W32/Bugbear.E@mm, W32/Bugbear.A |
| SIZE: | 52743 |
The Bugbear.E (also known as Tanatos.E) worm appeared on April
6th, 2004. The worm spreads itself as an attachment to e-mail
messages. It also drops a keylogging component to a system and
steals personal information.
The worm's file is a PE executable 52743 bytes long packed with
UPX file compressor. The keylogging DLL that the worm uses is the
same one that Bugbear.A worm used.
Installation to system
When the worm's file is run, it copies itself to Windows System
folder with a randomly-generated name and EXE extension. Then the
worm drops a keylogging DLL with a random name to that folder.
Additionally the worm creates 2 more DLL files with random names
in Windows System folder and 2 DAT files with random names in
Windows folder. These files contain stolen data in encrypted
form.
The worm creates a startup key for its file in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random>" = "%WinSysDir%\<random>.exe"
where %WinSysDir% represents Windows System folder name and
<random> represents random characters.
Spreading in e-mails
Before spreading, the worm searches for e-mail addresses on an
infected computer's hard disk. Files with the following
extensions are scanned:
.NCH
.MBX
.EML
.TBB
.DBX
.ODS
Also the worm scans the file named INBOX (Netscape Navigator's
default incoming mailbox file name).
The worm sends messages with the following sibject lines:
Greets!
!!! WARNING !!!
Hi!
Your News Alert
good news!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
[Fwd: look] ;-)
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
The worm's attachment name is "borrowed" from files with .INI and .RDP, extensions on an
infected hard drive or is selected from the following variants:
readme
Setup
Card
Docs
news
image
images
pics
resume
photo
video
music
song
data
The infected attachment can have the following extensions:
.scr
.pif
.exe
The worm can also arrive in an e-mail message that has a small
script. The script uses an exploit to silently run the worm's
attachment named IEXPLORE.EXE.
The worm avoids spreading to e-mail addresses that contain any of
the following:
remove
spam
undisclosed
recipients
noreply
lyris
virus
trojan
mailer-daemon
postmaster@
root@
nobody@
localhost
localdomain
list
talk
ticket
majordom
=?
free
spam
porn
worm
virus
trojan
remove
subscribe
ndeliverable
returned mail
warning: could not
postmaster notify
spam
porn
worm
virus
trojan
begin pgp
unsolicited
The worm fakes the sender's e-mail address. The fake address is
either taken from the list of collected addresses or is composed
from the text strings that are hard coded in the worm's body.
This is only a part of that list:
a
aak
aaron
able
about
above
accept
accident
accounts
accuse
across
act
activist
actor
add
administration
admit
adrian
advise
advisors
advisory
affect
afraid
after
again
against
age
agency
aggression
ago
agree
agriculture
ah
aid
aigua
aija
aim
air
aircraft
airplane
airport
alain
alan
albert
alex
alexander
alfred
alicia
alison
alive
all
allen
ally
almost
alone
along
already
also
although
always
amb
ambassador
amend
amex
amit
ammunition
among
amount
an
ana
anarchy
ancient
and
anders
andre
andrea
andreas
andres
andrew
andy
ange
angela
angelo
anger
animal
anita
ann
anna
anne
anneli
annette
anniversary
announce
another
answer
anthony
anton
antonio
antti
any
apologize
appeal
appear
appoint
approve
archives
area
argue
arichards
arja
armin
arms
army
arnaud
around
arrest
arrive
art
artillery
arto
as
ash
ask
assist
astrid
astronaut
asylum
at
atendimento
atmosphere
atom
attack
attempt
attend
automobile
autumn
awake
award
away
axel
back
bad
balance
ball
balloon
ballot
ban
bank
bar
base
battle
bcooper
bcopep
be
beach
beat
beatrice
beauty
because
becky
become
bed
beg
begin
behind
believe
bell
belong
below
bennett
benno
berit
bernard
bernd
bernhard
best
betray
better
between
big
bill
bird
birgit
bite
bitter
bjorn
black
blame
blanket
bleed
blind
blm
block
blood
blow
blue
bnelson
boat
bob
body
boil
bomb
bone
bonny
book
border
boris
born
borrow
both
bottle
bottom
box
boy
bpr
brain
brandon
brave
bread
break
breathe
brenda
brian
bridge
brief
bright
bring
brita
britt
broadcast
brother
brown
bruce
bruno
build
bullet
burn
burst
bury
bus
business
busy
but
buy
bwilliams
by
cabinet
call
callcenter
calm
calvin
camera
campaign
can
cancel
cancer
candidate
cannon
capital
capture
car
cards
cardservice
care
careers
careful
carina
carlos
carol
caroline
carrie
carrier
carry
carsten
case
cat
catch
catherine
cattle
cause
ccarlson
ccook
cdavis
ceasefire
celebrate
cell
celso
center
century
ceo
ceremony
cgrove
chad
chairman
champion
chance
change
charge
charles
charlie
chase
cheat
check
cheer
chemicals
cheryl
chieg
child
choose
chris
christian
christie
christine
christoph
christopher
chuck
church
cindy
circle
citizen
citizens
city
civil
civilian
cjohnson
clash
claude
claudia
clean
clear
clergy
click
clientes
cliff
climb
clock
close
cloth
clothes
cloud
cmiller
coal
coalition
coast
coffee
cold
colin
collect
collins
colony
color
come
comedy
command
comment
comments
committee
common
communicate
communications
company
compete
complete
compromise
computer
concern
condemn
condition
conference
confirm
conflict
congratulate
congress
connect
conny
conservative
consider
contact
contactus
contain
continent
continue
control
convention
cook
cool
cooperate
copy
corporate
correct
correo
cost
costitution
cotton
count
country
court
cover
cow
coward
cporter
craig
craigs
crash
create
creature
credit
crew
crime
criminal
crisis
criticize
crivera
crops
cross
crowd
cruel
crush
cry
cultura
culture
cure
current
custom
customer_service
customerservice
customerservicecenter
customersupport
custserv
cut
cynthia
dale
dam
damage
damien
damir
dan
dana
dance
danger
daniel
daniela
dark
date
daughter
dave
david
day
dead
deaf
deal
deb
debate
debbie
decide
declare
deep
defeat
defend
deficit
degree
delay
delegate
demand
democracy
demonstrate
denis
denise
dennis
denounce
deny
depend
deplore
deploy
derek
describe
desert
design
desire
destroy
details
develop
device
dhall
diana
diane
dick
dictator
die
dietmar
different
difficult
dig
dinner
diplomat
direct
direction
direkt
dirk
dirty
disappear
disarm
discover
discuss
disease
dismiss
dispute
dissident
distance
distant
dive
divide
dnb
do
doctor
document
dollar
dominic
dominik
don
donald
donna
door
doug
douglas
down
draft
dream
drink
drive
drown
drugs
dry
dsmith
dsnyder
duncan
during
dust
duty
dwilliams
each
earl
early
earn
earth
earthquake
ease
east
easy
eat
eberhard
ecommerce
economy
ed
edda
edge
eduardo
educate
edward
effect
effort
egg
either
elect
electricity
electron
element
elizabeth
ellen
email
embassy
emergency
emmanuel
emotion
employ
employment
empty
end
enemy
energy
enforce
engine
engineer
enjoy
enough
Stealing personal information
The worm can steal personal information. It scans a hard drives
for cookie files, copies text from application windows, records
keyboard activities with the help of an external DLL file and
saves clipboard data. This information is then sent to the author
of the worm. There is an encrypted list of 8 e-mail addresses and
8 e-mail servers in the worm's body. The worm randomly selects
one address and sends the stolen info there by e-mail.
Payload
The worm periodically kills processes of anti-virus and security
software. Processes with the following names are killed:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
Detection for Bugbear.E worm was published on April 6th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-04-06_03
Technical Details:
Katrin Tocheva and Alexey Podrezov, April 6th, 2004;
F-Secure Corporation
|
