---Update
10/07/2002---
W32/Bugbear@MM does
not contain a bear icon, but rather a generic
icon typically associated with EXE files.
A
new version of the JDBGMGR.EXE hoax is
circulating, which is tricking users into
deleting a file that uses a bear icon. This
file, JDBGMGR.EXE, is not related to the
W32/Bugbear@MM virus.
---Update
10/03/2002---
The risk assessment
of this threat has been raised to High due to
the continuing increase in prevalence.
AVERT has released a removal tool to assist
infected users with this virus.
---Update
10/02/2002---
The risk assessment
of this threat has been raised to Medium On
Watch due to an increase in prevalence.
This worm has the ability to spoof, or
forge, the 'From:' field. (Often set to an
address found on the victim's machine).
Additionally the virus can use a fabricated from
address, by taking the name before the "@" sign
of one address, and the domain name after the
"@" sign of another address. (ie.
name1@domain1.com + name2@domain2.com =
name1@domain2.com)
This virus is written in MSVC and packed with
UPX. It affects systems running the Windows
operating system. It does not affect MacOS or
Linux environments. It spreads via network
shares and by emailing itself. It also contains
a backdoor trojan component that contains
keylogging functionality.
Mass-mailing
This worm emails itself to addresses found on
the local system. The virus code contains email
subject strings and attachment names. However,
the majority of samples received contain
information not present in the virus. Suggesting
that there is a higher probability of the virus
using words and filenames contained on the
infected system. Possible message subject lines
include the following (however, other random
subject lines are also possible):
- 25 merchants and rising
- Announcement
- bad news
- CALL FOR INFORMATION!
- click on this!
- Correction of errors
- Cows
- Daily Email Reminder
- empty account
- fantastic
- free shipping!
- Get 8 FREE issues - no risk!
- Get a FREE gift!
- Greets!
- Hello!
- Hi!
- history screen
- hmm..
- I need help about script!!!
- Interesting...
- Introduction
- its easy
- Just a reminder
- Lost & Found
- Market Update Report
- Membership Confirmation
- My eBay ads
- New bonus in your cash account
- New Contests
- new reading
- News
- Payment notices
- Please Help...
- Re: $150 FREE Bonus!
- Report
- SCAM alert!!!
- Sponsors needed
- Stats
- Today Only
- Tools For Your Online Business
- update
- various
- Warning!
- wow!
- Your Gift
- Your News Alert
The message body varies and may contain
fragments of files found on the victim's system.
The attachment name also varies, but may contain
the following strings:
- Card
- Docs
- image
- images
- music
- news
- photo
- pics
- readme
- resume
- Setup
- song
- video
It is common for the
attachment name to contain a double-extension
(ie. .doc.pif). Outgoing messages look to make
use of the
Incorrect MIME Header Can Cause IE
to Execute E-mail Attachment vulnerability
(MS01-020) in Microsoft Internet Explorer
(ver 5.01 or 5.5 without SP2). Gateway scanners
will detect samples using this exploit as
Exploit-MIME.gen. or Exploit-MIME.gen.exe with
the 4213 DATs (or higher). Many other threats,
such as
http://vil.nai.com/vil/content/v_99455.htm,
are also detected as Exploit-MIME.gen on the
gateway.
System changes
When run on the victim machine it copies
itself to %WinDir%\%SysDir% as ****.EXE (where *
represents random character). For example in
testing:
- Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE
- 2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE
The following Registry key is set in
order to hook next system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
RunOnce
"%random letters%" = %random
filename%.EXE (Win9x)
The worm copies itself to the Startup folder
on the victim machine as ***.EXE (where *
represents random character), for example:
- Win98 : C:\WINDOWS\Start
Menu\Programs\Startup\CUK.EXE
- 2k Pro : C:\Documents and
Settings\(username)\Start
Menu\Programs\Startup\CYC.EXE
Trojan component
The worm opens a port on the victim machine -
port 36794 TCP and searches for various running
processes, stopping them if found. The list of
processes includes many popular AV and personal
firewall products.
This remote access server allows an attacker
to upload, and download files, run executes, and
terminate processes.
It drops a DLL on the victim machine -
keylogger related. This DLL is detected as
PWS-Hooker.dll.
Spawns Print Jobs on Network
Printers
There have been reports from the field that
after execution of the virus it sends print jobs
to all network printers. Avert has been able to
reproduce this in their labs and the worm
attempts to print its file contents to network
printers.
Network share propagation
The worm attempts to copy itself to the
Startup folder of remote machines on the network
(as ***.EXE - described above).
Virus Calendar.gif){kind=spacer}
