Several antivirus software vendors issue alerts Thursday for W32/Bugbear-B, a dangerous network-aware virus that can disable antivirus and security programs.
W32/Bugbear-B spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself. The virus attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment.
Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft’s software, including the ones exploited by this virus.)
If the virus activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the virus. View them at this Sophos page.
According to Panda Software’s Virus Laboratory, which recognizes the worm as Bugbear.B, this variant is even more dangerous that the original malicious code, Bugbear, which caused a widespread epidemic last September.
Bugbear.B is designed to spread rapidly via e-mail, using its own SMTP engine, and to infect a large number of system files. The e-mail message carrying the worm has a variable subject and attachment. Some of the possible characteristics are:
Subject:
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Attachments:
data
song
music
video
photo
Finally, the message body appears blank.
Bugbear.B also exploits a known vulnerability in the browser Internet Explorer, which is detected by Panda Software as Exploit/iFrame. By doing this, it will be automatically run when the message carrying the worm is viewed through the Outlook Preview Pane.
However, the biggest danger of this worm lies in its capacity to disable a large number of antivirus and security programs. In order to do this, it not only ends the processes belonging to these programs, but also deletes files that are essential to their correct functioning.
Bugbear.B is a polymorphic worm, which makes it difficult for antivirus programs to detect. Due to the potential damage this virus can cause, Panda Software advises users to be extremely careful with e-mail messages received.
Additional technical information on Bugbear.B is available from Panda Software’s Virus Encyclopedia.
According to McAfee, W32/Bugbear.b@MM is a complex worm that contains many different elements:
Mass-mailer
Network Share Propagator
Keylogger
Remote Access Trojan
Polymorphic Parasitic File Infector
Security Software Terminator
Mass-mailing
This worm emails itself to addresses found on the local system. This goes for both the TO and FROM fields. Thus the sender address is spoofed, or forged, and not a direct indication of an infected user. It extracts addresses from file names containing these strings:
.DBX
.EML
INBOX
.MBX
.MMF
.NCH
.ODS
.TBB
The default SMTP server specified in the Internet Account Manager is used to send messages:
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet Account Manager
The virus code contains email subject strings and attachment names. However, the original variant of this virus typically mailed information not present in the virus, suggesting that there is a higher probability of the virus using words and filenames contained on the infected system. Possible message subject lines include the following (however, other random subject lines are also possible):
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues – no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting…
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help…
Re: $150 FREE Bonus!
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert
The message body varies and may contain fragments of files found on the victim’s system. The attachment name also varies, but may contain certain strings.
View them and other information at this McAfee page.
According to MessageLabs, the sender address may be spoofed, and may not indicate the true address of the sender. The virus contains a number of domains that it appears to be capable of spoofing.
Emails that have been seen so far have varying subject lines, seemingly relating to information or documents plagiarized from the recipient’s infected machine. The body-text of the message is variable and appears to be taken from documents and files found on the recipient’s infected machine. The attachment is compressed in a modified UPX format. The file size is 72,192 bytes.
Attachment names are also variable, possibly based on from filenames found on the infected machine with an extension of either .scr, .pif or .exe. For example:
Crimbo.exe.scr
Lotto.mbd.pif
052003.ptx.exe
My Money Backup.mbf.scr
Captletterhead.doc.scr
Initial analysis suggests that the virus is a mass-mailer. It appears to be very polymorphic in nature and compressed using a variant of UPX, however, it seems to have the ability to repack or modify itself during each generation, presumably in an attempt to foil simple anti-virus signature fingerprinting techniques.
In some copies that have been stopped, the MS01-020 auto-open exploit has been found, which will automatically execute the attachment just by reading the email on an unpatched Windows system.
Initial analysis indicates that this virus may also be able to disarm local security software, such as anti-virus or firewall software. It may also be able to spread via network shares, as was the case with the earlier Bugbear.A strain.
Furthermore, it also may install a key-logging Trojan component that will enable an unscrupulous hacker to take control of the infected machine and download a file containing the user’s keystrokes, including information entered on websites such as passwords or credit-card details for example.
The virus includes a number of domain names that it appears to be capable of spoofing, including many major international banks, financial institutions and government authorities.
Read more at this MessageLabs page.
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm and it is a mass-mailing worm, according to Symantec. It can also spread through network shares. It has keystroke-logging and backdoor capabilities.
The worm also attempts to terminate the processes of various antivirus and firewall programs. The worm is polymorphic and also infects executable files.
Technical details are at this Symantec page.
Trend Micro recognizes the worm as PE_BUGBEAR.B, a file-infecting variant of WORM_BUGBEAR.A. This variant includes all the functionalities of the previous variant with the addition of the file infection routine.
The worm uses SMTP engine to send email to addresses it gathers from the infected machine. It sends an email using a certain format. View it and other information at this Trend Micro page.
Worm Searches for Remote Computers with Weak Passwords
Sophos has also issued an alert for Bat/Mumu-A, a worm that spreads by copying its constituent parts to IPC$ and ADMIN$ shares on remote computers which have weak passwords. The worm is mainly composed of the following BAT files which it copies across to the shares:
10.BAT
HACK.BAT
IPC.BAT
MUMA.BAT
NEAR.BAT
RANDOM.BAT
REPLACE.BAT
START.BAT
The worm uses a file named hfind.exe, detected by Sophos Anti-Virus as Troj/Hacline-A, to scan potential victim IP addresses and copies this file along with IPCPASS.TXT.
IPCPASS.TXT contains a list of passwords used by Troj/Hacline-A when attempting the copy. In addition Bat/Mumu-A attempts to copy several non-malicious files along with it.
View them and other information at this Sophos page.
Compiled by Esther Shein.