F-Secure is downgrading the Bugbear/Tanatos e-mail worm from
Level 1 to Level 2 as it is not spreading as fast as before.
UPDATE (2002-10-02 13:30 GMT)
F-Secure is upgrading the Bugbear/Tanatos e-mail worm to Level 1
as it continues to spread rapidly. Currently it is the most
widespread virus in the world together with Klez.
For more information, see Global Bugbear worm Information Center:
For removal instructions, see the bottom of the page.
TECHNICAL DETAILS
Bugbear is a mass-mailing and network worm with keylogging and
backdoor capabilties. It appeared in the wild on 30th of
September 2002. The worm's file is a PE EXE (portable executable),
50688 bytes long and it is compressed with UPX file compressor.
Infecting a System
When run, the worm copies itself to Windows System directory with
a random name (JFMV.EXE for example) and adds a startup key for
this file to the Registry:
It also drops a keylogging component as a DLL file with a
randomly-generated name (ZLQPUPP.DLL for example) to Windows
System folder. The worm also creates 2 more DLL files and stores
some encrypted data there. The worm creates 2 randomly named DAT
files in root Windows folder too.
E-mail Spreading
Bugbear spreads in e-mail messages as an attachment with
randomly-generated names and with one or more extensions.
Subjects and bodies of infected e-mails are also different. The
mass-mailing routine is quite complex.
The worm has the ability to fake information in e-mail headers,
so sometimes the sender's e-mail address gets replaced with
another address that the worm finds on an infected system.
The worm's messages can contain IFrame exploit that allows it to
run automatically on some computers when an infected e-mail is
viewed (for example, with Outlook and IE 5.0 or 5.01). This
vulnerability is fixed and a patch for it is available on
Microsoft site:
Bugbear worm looks for e-mail addresses in INBOX (Netscape
incoming e-mail database) and in files with the following
extensions:
.ODS
.MMF
.NCH
.MBX
.EML
.TBB
.DBX
Sometimes the worm picks up e-mail messages from infected user's
database and sends them out with its copy attached. Also the worm
can place contents of a random text file from an infected hard
drive to an infected message's body. It can send itself in a
message with one of the following subjects:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
The worm doesn't send itself to addresses that contain the
following strings (to avoid bounces and other unwanted events):
The second extension of an infected attachment can be one of the
following:
.scr
.pif
.exe
Also the worm can 'borrow' the name for its attachment from one
of files on an infected hard drive and then to add an executable
extension to it, for example it can send itself as
AGREEMENT.DOC.PIF file. The name of the infected attachment can
contain one of the following strings:
readme
Setup
Card
Docs
news
image
images
pics
resume
photo
video
music
song
data
Local Area Network Spreading
Bugbear has local network spreading capabilities. The worm
enumerates network resources and tries to locate \Start
Menu\Programs\Startup\ folder on remote systems. If such path is
found, the worm copies itself there with a random name. When a
remote system is restarted, the worm's file gets control and
infects a system.
Terminating Processes
The worm continuously looks for and terminates processes with the
below-given names:
The worm uses separate routines for process killing on Windows
9x- and NT-based systems. In most cases the worm effectively
disables security and anti-virus software that fail to detect it
entering a system.
Backdoor Component
Bugbear worm also listens to port 36794 and can provide access to
an infected system and the network it is connected to via an
internal backdoor component. The backdoor component allows an
attacker to access an infected system through a web-based
interface. The worm generates HTML pages on-the-fly when an
attacker browses directories on an infected remote computer.
It contains several icons that it uses to identify the type of
remote drives and files. The backdoor component also allows to
browse shared network resources that an infected computer has
access to. The worm also uses icons to identify network
resources.
Bugbear allows an attacker to get information about the infected
system: operating system, processor type, fixed and network
drives.
Keylogging Component
The worm has password stealing capabilities. It installs a
keylogging component to a system, records keystrokes and saves
them into a file. Then it sends this file to a few e-mail
addresses that are stored in encrypted for in the worm's body.
The smtp server names that the worm uses to send the files are
also stored in encrypted form in the worm's body.
Side Effect
According to reports, network printers start to print a lot of
garbage when the worm infects a network. This might be the
side-effect of the worm's attempts to infect a network.
Disinfection Instructions
To remove Bugbear worm from a system it's enough to delete all
its files from a hard drive and to restart a computer. If the
worm is in a network environment, the network should be
temporarily taken down and all systems have to be disinfected
separately. Otherwise the worm will try to re-infect already
cleaned systems.
Also after disinfection it is recommended to change all logins
and passwords as they could have been compromised by the password
stealer component of the worm. It is also recommended to check
infected systems and networks for possible hacker intrusion that
could have been performed through the backdoor component of the
worm.
More details about the removing procedure you can find in our
support center:
