Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bugbear.B@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Drops a key logging program
Detection files published 04 Jun 2003 03:00:00
Description created 04 Jun 2003 03:13:00
Description updated 13 Jun 2003 04:38:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Bugbear.B@mm

Spreading

When run, it will copy itself to the Windows directory under a random name. It will now email itself to addresses found in several sources on the local computer. The emails will look differently; f.ex. file names may be composed partly from file names found on the infected computer.Similar to many other viruses of late, this one will forge sender address.The virus infects over networks by copying itself to open network shares.It will also infect by overwrite (and thus destroy) the following files (at least):%PROGRAMFILESDIR%\winzip\winzip32.exe%PROGRAMFILESDIR%\kazaa\kazaa.exe%PROGRAMFILESDIR%\ICQ\Icq.exe%PROGRAMFILESDIR%\DAP\DAP.exe%PROGRAMFILESDIR%\Winamp\winamp.exe%PROGRAMFILESDIR%\AIM95\aim.exe%PROGRAMFILESDIR%\Lavasoft\Ad-aware 6\Ad-ware.exe%PROGRAMFILESDIR%\Trillian\Trillian.exe%PROGRAMFILESDIR%\Zone Labs\ZoneAlarm\ZoneAlarm.exe%PROGRAMFILESDIR%\StreamCast\Morpheus\Morpheus.exe%PROGRAMFILESDIR%\QuickTime\QuickTimePlayer.exe%PROGRAMFILESDIR%\WS_FTP\WS_FTP95.exe%PROGRAMFILESDIR%\MSN Messenger\msnmsgr.exe%PROGRAMFILESDIR%\ACDSee32\ACDSee32.exe%PROGRAMFILESDIR%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe%PROGRAMFILESDIR%\CuteFTP\cutftp32.exe%PROGRAMFILESDIR%\Far\Far.exe%PROGRAMFILESDIR%\Outlook Express\msimn.exe%PROGRAMFILESDIR%\Real\RealPlayer\realplay.exe%PROGRAMFILESDIR%\Windows Media Player\mplayer2.exe%PROGRAMFILESDIR%\WinRAR\WinRAR.exe%PROGRAMFILESDIR%\adobe\acrobat 5.0\reader\acrord32.exe%PROGRAMFILESDIR%\Internet Explorer\iexplore.exe%WINDIR%\winhelp.exe%WINDIR%\notepad.exe

Payload Details

The virus installs a key logging program in the Windows System directory. The file name will be random.It overwrites installed programs.The virus locates and terminates the following processes:ZONEALARM.EXEWFINDV32.EXEWEBSCANX.EXEVSSTAT.EXEVSHWIN32.EXEVSECOMR.EXEVSCAN40.EXEVETTRAY.EXEVET95.EXETDS2-NT.EXETDS2-98.EXETCA.EXETBSCAN.EXESWEEP95.EXESPHINX.EXESMC.EXESERV95.EXESCRSCAN.EXESCANPM.EXESCAN95.EXESCAN32.EXESAFEWEB.EXERESCUE.EXERAV7WIN.EXERAV7.EXEPERSFW.EXEPCFWALLICON.EXEPCCWIN98.EXEPAVW.EXEPAVSCHED.EXEPAVCL.EXEPADMIN.EXEOUTPOST.EXENVC95.EXENUPGRADE.EXENORMIST.EXENMAIN.EXENISUM.EXENAVWNT.EXENAVW32.EXENAVNT.EXENAVLU32.EXENAVAPW32.EXEN32SCANW.EXEMPFTRAY.EXEMOOLIVE.EXELUALL.EXELOOKOUT.EXELOCKDOWN2000.EXEJEDI.EXEIOMON98.EXEIFACE.EXEICSUPPNT.EXEICSUPP95.EXEICMON.EXEICLOADNT.EXEICLOAD95.EXEIBMAVSP.EXEIBMASN.EXEIAMSERV.EXEIAMAPP.EXEFRW.EXEFPROT.EXEFP-WIN.EXEFINDVIRU.EXEF-STOPW.EXEF-PROT95.EXEF-PROT.EXEF-AGNT95.EXEESPWATCH.EXEESAFE.EXEECENGINE.EXEDVP95_0.EXE.DVP95.EXECLEANER3.EXECLEANER.EXECLAW95CF.EXECLAW95.EXECFINET32.EXECFINET.EXECFIAUDIT.EXECFIADMIN.EXEBLACKICE.EXEBLACKD.EXEAVWUPD32.EXEAVWIN95.EXEAVSCHED32.EXEAVPUPD.EXEAVPTC32.EXEAVPM.EXEAVPDOS32.EXEAVPCC.EXEAVP32.EXEAVP.EXEAVNT.EXEAVKSERV.EXEAVGCTRL.EXEAVE32.EXEAVCONSOL.EXEAUTODOWN.EXEAPVXDWIN.EXEANTI-TROJAN.EXEACKWIN32.EXE_AVPM.EXE_AVPCC.EXE_AVP32.EXE

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11