Original Issue Date: 4th October 2002
1.0 Description
1.1 Overview
The W32.Bugbear is an internet worm and mass mailing worm. It was discovered on 30th September 2002 EST time .
It has its own SMTP engine and attempts to spread via email and network. It has the backdoor and keylogging capabilities and
propagates by exploiting the MIME MS01-020 vulnerability in Microsoft Outlook and Microsoft Outlook Express. The worm's file
is a PE EXE (portable executable), 50688 bytes long and it is compressed with UPX file compressor.
When email is opened using this application (without a patch) it will execute itself.
The risk assessment by many anti-virus vendors, for this variant has been graded to a HIGH risk degree.
1.2 Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
1.3 Limitation
No limitations. It does not require the email receiver to open the attachment for it to execute.
1.4 Aliases
W32/Bugbear-A
WORM_BUGBEAR.A
Win32.Bugbear
W32/Bugbear@MM
I-Worm.Tanatos
W32/Bugbear
Tanatos
1.5 Payload
1.5.1. Disable antivirus softwares and personal firewalls protection.
1.5.2. The backdoor and keyloggers Trojan can:
- steal passwords and credit-card details
- open a port which allow unauthorized access to compromised machines
Keyloggers is part of a Trojan program that records all the key-strokes and mouse clicks on particular machine
to a file. The file than can be downloaded to the hacker and inspected for important information.
1.5.3. Large scale e-mailing: send itself to email addresses found on an infected system using it's own SMTP
engine.
1.5.4. Port 36974 open (which allow for unauthorized access .This allows an attacker to get information about
an infected system: operating system, processor type, fixed and network drives)
1.5.5. Network printers start to print a lot of garbage once the worm infected the network.
2.0 Technical Matters
When W32.Bugbear@mm executed:
-
It copies itself as
C:\%System%\***.exe
where * represents letters chosen by the worm.
## NOTE: If you have C:\Windows\System or C:\Winnt\System32 installed to a location other than C:\Windows or C:\,
make the appropriate substitution.
-
Then it creates
3 .dll files in C:\%System folder
eg: C:\%System\abc.dll
2 .dat files in C:\%Windir% folder
eg : C:\%Windir%\abc.dat
These files should be deleted manually
Added a value at registry key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-
Then it kills the following processes if they are running in the system.
* _AVP32.EXE
* _AVPCC.EXE
* _AVPM.EXE
* ACKWIN32.EXE
* ANTI-TROJAN.EXE
* APVXDWIN.EXE
* AUTODOWN.EXE
* AVCONSOL.EXE
* AVE32.EXE
* AVGCTRL.EXE
* AVKSERV.EXE
* AVNT.EXE
* AVP.EXE
* AVP32.EXE
* AVPCC.EXE
* AVPDOS32.EXE
* AVPM.EXE
* AVPTC32.EXE
* AVPUPD.EXE
* AVSCHED32.EXE
* AVWIN95.EXE
* AVWUPD32.EXE
* BLACKD.EXE
* BLACKICE.EXE
* CFIADMIN.EXE
* CFIAUDIT.EXE
* CFINET.EXE
* CFINET32.EXE
* CLAW95.EXE
* CLAW95CF.EXE
* CLEANER.EXE
* CLEANER3.EXE
* DVP95.EXE
* DVP95_0.EXE
* ECENGINE.EXE
* ESAFE.EXE
* ESPWATCH.EXE
* F-AGNT95.EXE
* FINDVIRU.EXE
* FPROT.EXE (F-Prot antivirus)
* F-PROT.EXE (F-Prot antivirus)
* F-PROT95.EXE (F-Prot antivirus)
* FP-WIN.EXE (F-Prot antivirus)
* FRW.EXE
* F-STOPW.EXE (F-Prot antivirus)
* IAMAPP.EXE
* IAMSERV.EXE
* IBMASN.EXE
* IBMAVSP.EXE
* ICLOAD95.EXE
* ICLOADNT.EXE
* ICMON.EXE
* ICSUPP95.EXE
* ICSUPPNT.EXE
* IFACE.EXE
* IOMON98.EXE
* JEDI.EXE
* LOCKDOWN2000.EXE
* LOOKOUT.EXE
* LUALL.EXE
* MOOLIVE.EXE
* MPFTRAY.EXE
* N32SCANW.EXE
* NAVAPW32.EXE (Norton antivirus)
* NAVLU32.EXE (Norton antivirus)
* NAVNT.EXE (Norton antivirus)
* NAVW32.EXE (Norton antivirus)
* NAVWNT.EXE (Norton antivirus)
* NISUM.EXE
* NMAIN.EXE
* NORMIST.EXE
* NUPGRADE.EXE
* NVC95.EXE
* OUTPOST.EXE
* PADMIN.EXE
* PAVCL.EXE
* PAVSCHED.EXE
* PAVW.EXE
* PCCWIN98.EXE
* PCFWALLICON.EXE
* PERSFW.EXE
* RAV7.EXE
* RAV7WIN.EXE
* RESCUE.EXE
* SAFEWEB.EXE
* SCAN32.EXE
* SCAN95.EXE
* SCANPM.EXE
* SCRSCAN.EXE
* SERV95.EXE
* SMC.EXE
* SPHINX.EXE
* SWEEP95.EXE (Sophos antivirus)
* TBSCAN.EXE
* TCA.EXE
* TDS2-98.EXE
* TDS2-NT.EXE
* VET95.EXE
* VETTRAY.EXE
* VSCAN40.EXE
* VSECOMR.EXE
* VSHWIN32.EXE
* VSSTAT.EXE
* WEBSCANX.EXE
* WFINDV32.EXE
* ZONEALARM.EXE
Then it copy itself to the Startup folder of remote machines on the network as ***.EXE, where *
represents letters chosen by the worm(random characters)
Eg:
C:\WINDOWS\Start Menu\Programs\Startup\***.EXE
C:\Documents and Settings\(username)\Start Menu\Programs\Startup\ ***.EXE
It searches email addresses in current inbox and in the files with the following extensions and retrieves
current user's email address and SMTP server from the registry key.
- MMF (Microsoft Outlook Express Mailbox)
- NCH (Outlook Express Folder File)
- MBX (Mailbox Message File (Outlook v1-4 or Eudora and others)
- EML (Microsoft Outlook Express Electronic Mail
- TBB (The Bat! E-mail Hives)
- DBX ( Database (multiple programs) Data Beam Image Microsoft Visual Foxpro Table)
- OCS
Send itself to all email addresses it finds using its own SMTP engine.
- The subject, message and attachment name appears to be taken from the infected system(random characters).
- As for attachment , it has two extensions, the second extension is .scr, .pif, or .exe.
The email message may have one of the following subjects:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
Open a TCP port 36794 on the infected machine which allow for unauthorized access to the machine.
It retrieves the current user's email address and SMTP server from the registry key
It then uses its own SMTP engine to send itself to all email addresses that it finds.
3.0 Possible Steps
3.1 Prevention
3.1.1 Remove or turn off any unneeded services. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
3.1.2 Ensure up-to-date patches are installed (using MS01-020 to prevent emails from being able to automatically launch executable attachments), especially on computers that host public services such as HTTP, FTP, mail, and DNS services. Information and a patch for the vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
3.1.3 Apply filter on mail servers to detect and remove the worm based on:
3.1.3.1 File attachments with .exe, .bat, .scr, .vbs
3.1.3.2 File size 50688 bytes
3.1.3.3 Virus signature by various Anti-virus vendors
3.1.4 Isolate infected computers quickly to prevent further compromises and restore relevant data from trusted media.
3.1.5 Do not to open attachments unless the attachment has been scanned for virus or malicious codes.
3.1.6 Do not execute software that is downloaded from the Internet unless it has been scanned for viruses or downloaded from trusted sources.
3.1.7 Upgrade to Internet Explorer 6
3.1.8 Practise safe email practices, pls refer at:
http://www.mycert.org.my/faq-safe_email_practices.htm
3.2 Detection
Many antivirus with the latest virus definitions is able to detect the worm.To detect the virus, run an antivirus scan with the latest signature file on your system. Ensure the anti-virus is configured to scan ALL FILES.
3.3 Removal
There are two ways to clean up the infected machine, the automatic and manual removal.
3.3.1 Automatic Removal:
Isolate the infected machine by disconnecting the machine from the network.
Close any sharing files/folder/directory.
When sharing files/folder/directory, do not give full access (read and write).Settle for read only instead.
Download and run the following automatic tools below to disinfect / delete the worm or Trojan
F-secure
This tool is used to:
- stop Bugbear worm's processes in memory
- scan hard drive for infected files and delete them.
It can be downloaded at:
ftp://ftp.f-secure.com/anti-virus/tools/f-bugbr.zip
Symantec
This tool is used to:
- terminate Bugbear’s worm processes.
- delete the worm files and the Trojan that the worm drops (detected by Symantec antivirus products as PWS.Hooker.Trojan)
- delete the registry value that was added by the worm
It can be downloaded at:
http://securityresponse.symantec.com/avcenter/FxBgbear.exe
Sophos
This tool is used to:
- scan hard drive for infected files and delete them
It can be downloaded at:
http://www.sophos.com/support/bugbear.html
3.3.2 Manual Removal:
Isolate the infected machine by disconnecting the machine from the network.
Close any sharing of files/folder/directory.
When sharing files/folder/directory, do not give full access (read and write).Settle for read only instead.
-
Restart pc in safe mode
To restart Windows 95/98 in Safe Mode:
- Restart the computer.
- Press F8 until Microsoft Windows Startup Menu appears.
- Select “safe mode”. Then the window starts in Safe Mode.
Run an anti-virus to detect the presence of the worm. Please make sure the
anti-virus is updated with latest virus definitions.
Edit the registry
- Go to start.
- Click ‘run’. The run dialog appears
- Type ‘regedit’ and then click ok.
- Registry Editor appears
- edit the key:
- “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce\***.exe”
- In the right pane, delete all files that are detected as W32.Bugbear@mm or any files .exe with size 50688 bytes.
- Click Registry, and click Exit.
Go to Windows Explorer.
Open the C:\Windows\System folder
NOTE: If you have C:\Windows\System or C:\Winnt\System32 installed to a location other than C:\Windows or C:\, make the appropriate substitution.
delete ****.exe.*******.dll, ******.dat files
(where *** represents letters chosen by the worm).Please make sure to DELETE only file ****.exe or any file with size 50 688 bytes and file .*******dll with size 5632 bytes.
Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.
Disable system restore. This only applies to Windows ME and XP.
Windows XP
- Select Start/My Computer.
- Right click on the My Computer icon
- Select Properties
- Select the tab "System Restore".
- Check the "Turn off System Restore on all drives" checkbox and click "Apply" button.
- The program asks if you want to turn off System Restore. Click "Yes" button.
- "Drive settings" has now turned to grey. Click "OK" button.
- Windows XP System Restore feature is now disabled.
Windows ME
- Right-click on the My Computer icon and select Properties
- In the System Properties windows, select the Performance tab
- Click on File System button
- In the File System Properties window select the Troubleshooting tab
- Check the Disable System Restore checkbox
- Click Apply button
- Close the windows using the Close button
- Click Yes when prompted for reboot
Restart the computer.
Re-scan the machine to make sure the machine has been cleaned completely.
If there is still file infected, delete the file. Please make sure you write down the file before delete if you want to reinstall the file later.
Re-connect the machine to the network.
Take preventive measures by
4.0 More Information
More information on this virus can be obtained from the following sites:
4.1 Mcafee:
http://vil.mcafee.com/dispVirus.asp?virus_k=99728
4.2 Sophos:
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
4.3 Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
4.4 F-secure:
http://www.f-secure.com/v-descs/tanatos.shtml