corsasport.co.uk
 

Corsa Sport » Message Board » General Chat » Rapidly spreading virus - W32/BugBear.B


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author Rapidly spreading virus - W32/BugBear.B
Trotty
Member

Registered: 22nd Feb 01
Location: Bristol
User status: Offline
5th Jun 03 at 15:07   View User's Profile U2U Member Reply With Quote

Information from www.sophos.com

If you've got AV software, update it now - if not, why not!?


W32/Bugbear-B is a network-aware virus. W32/Bugbear-B spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

The virus attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this virus.)

If the virus activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the virus. You will find:

xxx.EXE (usually 72192 bytes) in the Startup folder
and
zzzzzzz.DLL (usually 5632 bytes) in the System folder

The EXE file is an executable copy of the virus. The DLL is a keystroke logging tool which is used by the virus when it is activated.

The virus spreads itself via email. The emails can look like normal emails or they could have no body text and one of the following subject lines:

Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!

Attachments can have the same filename as another file on the victim's computer.
The attachments have double extensions with the final extension being EXE, SCR or PIF.

Please note that the virus can spoof the From and Reply To fields in the emails it sends.

Additionally, W32/Bugbear-B will infect the following files in the Windows folder:

scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe

and the following files in the Program Files folder:

Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe

W32/Bugbear-B has a thread running in the background which attempts to terminate anti-virus and security programs with one of the following filenames:

ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE, SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE

The keylogging component of W32/Bugbear-B (the DLL) hooks the keyboard input so that it records keystrokes to memory.

W32/Bugbear-B opens port 1080 and listens for commands from a remote machine. Depending on the command issued the remote user may attempt the following on the victim's computer:

Retrieve cached passwords in an encrypted form
Download and execute a file
Find files
Delete files
Execute files
Copy files
Write to files
List processes
Terminate processes
Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).
The remote user may also attempt to open port 80 (HTTP) on the victim's computer, then connect to the backdoor web server (possibly an Apache 1.3.26-type web server) provided by W32/Bugbear-B and thus achieve a level of control over the infected computer.



Example of a remote user accessing an infected computer using the backdoor



Example of a remote user accessing an infected computer using the backdoor



Example of a remote user accessing an infected computer using the backdoor
Sam
Moderator
Premium Member


Registered: 24th Dec 99
Location: West Midlands
User status: Offline
5th Jun 03 at 15:09   View User's Profile U2U Member Reply With Quote

That's one way of hacking into someone's PC for free porn I suppose...
Tiger
Member

Registered: 12th Jun 01
Location: Leicestershire Drives:Astra VXR
User status: Offline
5th Jun 03 at 15:23   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Trotty
Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!




Thats the title of most of the junk mail i get everyday!!!!

Good job all that stuffs deleted.
IntaCepta
Member

Registered: 25th Mar 02
Location: Mill Hill East, Greater London
User status: Offline
5th Jun 03 at 16:09   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Tiger
quote:
Originally posted by Trotty
Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!




Thats the title of most of the junk mail i get everyday!!!!

Good job all that stuffs deleted.


same here!
its beyond a joke now, can't be arsed to keep del em all
Claire
Member

Registered: 19th Jan 03
Location: The Sarrrf
User status: Offline
5th Jun 03 at 16:13   View User's Profile U2U Member Reply With Quote

AV software?
Trotty
Member

Registered: 22nd Feb 01
Location: Bristol
User status: Offline
5th Jun 03 at 16:15   View User's Profile U2U Member Reply With Quote

AV = Anti Virus

Even if not, this virus can be stopped by getting the correct patch from http://windowsupdate.microsoft.com If you're not sure which patch you need, just get all the critical ones
Claire
Member

Registered: 19th Jan 03
Location: The Sarrrf
User status: Offline
5th Jun 03 at 16:16   View User's Profile U2U Member Reply With Quote

ah
willay
Moderator
Organiser: South East, National Events
Premium Member


Avatar

Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
5th Jun 03 at 16:20   View Garage View User's Profile U2U Member Reply With Quote

trotty bend over and let me see your assets.
Sam
Moderator
Premium Member


Registered: 24th Dec 99
Location: West Midlands
User status: Offline
5th Jun 03 at 16:21   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by willay
trotty bend over and let me see your assets.


Trotty
Member

Registered: 22nd Feb 01
Location: Bristol
User status: Offline
5th Jun 03 at 16:22   View User's Profile U2U Member Reply With Quote

Oooh matron!
steph69
Member

Registered: 8th Apr 03
Location: Oswestry
User status: Offline
5th Jun 03 at 16:43   View User's Profile U2U Member Reply With Quote

i work at the hospital and yesterday afternoon and this morning that virus kept coming on my comp, printer was printing out sh*t!! i.t department (dont know much) came out twice to fix it!!

 
New Topic

New Poll

Corsa Sport » Message Board » General Chat » Rapidly spreading virus - W32/BugBear.B 22 database queries in 0.0177269 seconds