Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bugbear.A@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Adds a backdoor to the infected system, anti-antivirus capabilities
Detection files published 29 Sep 2002 03:00:00
Description created 30 Sep 2002 12:39:00
Description updated 27 Feb 2003 02:59:00
Malware type WORM
Alias W32/Tanat
Spreading mechanism EMAIL
Summary None



When run, the worm will install itself in the Windows system directory under a random name, and add a registry key to point to itself:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce [filename]It will also install a randomly named backdoor component to the Windows System directory.The worm now attempts to spread via mail and network resources. It send itself to email addresses it finds from various sources on the infected system.The worm has a number of names and text strings that it may use to compose mails; in addition, it may reply to mails in the users inbox and reuse text from there.When spreading over network shares, it looks for startup directories on remote machines, and copies itself there.

Payload Details

The worm works as a backdoor in the infected system, listening on port 36794. This backdoor functionality will give an attacker access to the infected system.In addition, the worm looks for and terminates components belonging to several antivirus and firewall programs.





Last Updated: 12 Nov 2015 11:06:15