This worm, created in Visual Basic, requires the following files to execute:
It sometimes arrives as a UPX-compressed executable file that displays the following message box when executed:
This worm uses Mail Application Programming Interface (MAPI) and Simple Mail Transport Protocol (SMTP) to send email messages. It uses MAPI to send copies of itself to all email addresses listed in the Outlook Address book.
The details of the email message it sends are as follows:
Subject: Fwd: Scan your computer for this new virus threat...
This is a fix and removal for the new internet worm known as BugBear. 1 in ever 4 computers in infected with this virus. When run, it will scan your computer and notify you if you're infected or not, then clean if infected
It uses SMTP to send email messages to all email addresses listed in the EMAIL.TXT file. To send an email, it connects to the infected system�s predefined SMTP server, which is taken from this registry entry:
Internet Account Manager\Accounts\
The details of the email are as follows:
Subject: AntiVirus Updates:
Message Body: A Removal to scan for the new BugBear Virus. Recommended by (followed by the SMTP display name)
Attachments: Chosen from the dropped files.
Due to some errors in its code, this worm fails to actually send email messages.
Propagation Via Kazaa
If any of the following Kazaa shared folder is present, it copies itself to each of these folders using different filenames:
- C:\KaZaA\My Shared Folder\
- C:\Program Files\KaZaA\My Shared Folder\
It uses any of the following filenames:
- All GamesHack.exe
- Credit Cards.exe
- ICQ Password Hack.exe
- Macromedia Flash MX.exe
- Swat 3 Full Download.exe
- Unreal Tournament 3 FullDownloader.exe
- WarCraft III Full.exe
- WIN XPCrack.exe
This worm copies itself to a Shizzle.exe file in the Windows directory. Then it adds this registry entry so that its copy executes upon system startup:
In the same folder as its copy, it creates files, ZIPPY.EXE and EMAIL.TXT, in the same folder. It attempts to download a file from the Internet and saves it as ZIPPY.EXE. If the download is not successful, the file is empty.
This worm searches for the text string �mailto� in selected HTML files to obtain email addresses and then saves these to the EMAIL.TXT file.
It drops a number of files as follows in the same directory where it is found. Some of the dropped files are exact copies of the worm and some contain codes of a non-destructive batch file. The extension of these files could be EXE, PIF, BAT, or SCR:
- Anti 0190 Dialer
- Borland Delphi 6 Key
- Borland Delphi(all) Crack
- Britney Spears Nude
- Cube Emulator
- Email Bomber
- FTP Cracker
- Hotmail Hacker Tool
- Jenifer Lopez Naked
- Ps2 Crack
- Ps2 Emulator
- Shakira Nude
- WinMx Hack
- XBox Emulator
It may also choose the filename of the dropped files from the following:
- Shakira Nude.theme
This worm attempts to cause a Denial of Service (DOS) attack on a Web site:
To execute a DOS attack, it continuously sends PING requests, each containing 10,000 Bytes, to the Web site.
This worm also attempts to modify system settings to disable the Windows Desktop.