WORM_BUGBEAR.A

Malware type: Worm

Aliases: Email-Worm.Win32.Tanatos.a (Kaspersky), W32.Bugbear@mm (Symantec), Worm/Bugbear.1 (Avira), W32/Bugbear-A (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm propagates via shared network folders and via email. It also terminates antivirus programs, acts as a backdoor server application, and sends out system passwords and logged keystrokes all of which compromise security on infected machines.

As a backdoor, this worm allows remote users to connect to infected systems via port 36794 and obtain information, manipulate files, and execute programs on the infected systems.

The email messages that this worm sends out contain no messages and can have any of the following subjects:

  • $150 FREE Bonus!
  • 25 merchants and rising
  • Announcement
  • bad news
  • CALL FOR INFORMATION!
  • click on this!
  • Confirmation of Recipes
  • Correction of errors
  • Daily Email Reminder
  • empty account
  • fantastic
  • free shipping!
  • Get 8 FREE issues - no risk!
  • Get a FREE gift!
  • Greets!
  • hello!
  • history screen
  • hmm..
  • I need help about script!!!
  • Interesting...
  • Introduction
  • its easy
  • Just a reminder
  • Lost & Found
  • Market Update Report
  • Membership Confirmation
  • My eBay ads
  • New bonus in your cash account
  • New Contests
  • new reading
  • Payment notices
  • Please Help...
  • Report
  • SCAM alert!!!
  • Sponsors needed
  • Stats
  • Today Only
  • Tools For Your Online Business
  • update
  • various
  • Warning!
  • Your Gift
  • Your News Alert

This worm spoofs the FROM field and obtains the recipients for its email from email messages, address books, and mail boxes on the infected system.

The email attachment contains the encoded form of the worm, with SETUP.EXE as its default file name. There are instances, however, when this worm searches the users personal folder (usually My Documents) and gets the first file found in the folder. It appends the extensions SCR, PIF, or EXE to the file name of the found file to obtain the attachment name. This results in attachments with double extensions.

In the event that it does not find a file in the current users personal folder, it combines the following text strings with the SCR, PIF, or EXE extensions:

  • image
  • images
  • music
  • photo
  • readme
  • resume
  • Setup
  • video

On systems with unpatched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.

Due to its network propagation routine, this worm can also cause print jobs to accumulate in network printer queues.

This worm runs on Windows 95, 98, ME, 2000, and XP.

For additional information about this threat, see:

Description created: Sep. 30, 2002 10:32:08 AM GMT -0800
Description updated: Oct. 7, 2002 9:04:35 AM GMT -0800


TECHNICAL DETAILS


Size of malware: Worm: 50,664 Bytes
Keylogger component: 5,632 Bytes

Initial samples received on: Sep 30, 2002

Payload 1: Terminates antivirus processes

Payload 2: Compromises network security

Payload 3: Steals passwords and keystrokes

Details:
This multithreaded worm uses its own SMTP (Simple Mail Transfer Protocol) engine to send copies of itself. It also propagates via network-shared drives and folders.

System Installation

This worm arrives as a UPX-compressed file. Upon execution, it drops a copy of itself in the Windows system directory using a 4-character, semi-randomly generated file name.

To ensure its automatic execution every system startup, it adds the following randomly-named registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce
<random string> = %System%\<random filename>.EXE

(Note: %System% is the Windows system, which is usually C:\Windows\System or C:\WINNT\System32.)

To further ensure that it executes at startup, this worm copies itself in the Windows Startup folder using a 3-character, randomly-generated file name. It uses the following registry entry to find the location of the Startup folder:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Shell Folders
Startup

This worm also drops three .DLL files with random file names in the Windows system folder and two .DAT files with random file names in the Windows folder.

One of the dropped .DLL files is the a keylogger component. The other dropped files are encrypted non-malicious files that contain data, such as gathered email addresses, passwords and keystrokes.

After installing itself on the system, this worm creates several threads that behave as the following:

  • Mass-mailer
  • Local network infector
  • Backdoor server
  • Antivirus and security programs killer
  • Password stealer

It usually sets up the fifth thread on its initial execution to send out cached system passwords and logged keystrokes to certain email addresses.

Mass-mailing Routine

This worm uses its own Simple Mail Transport Protocol (SMTP) engine and reads the following registry key to obtain an SMTP server:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\
Accounts

It obtains the list of email addresses from cached email messages, address books, and mail boxes found on the infected machine. It searches the whole root drive of the infected machine for files bearing the following substrings to find such repositories:

  • .ODS
  • INBOX
  • .MMF
  • .NCH
  • .MBX
  • .EML
  • .TBB
  • .DBX

This worm carries with it three similar SMTP engines to supplement its communication activities. It uses two of the engines to send forged emails containing an encoded version of the worm to selected email addresses.

The two SMTP engines send out email messages with spoofed sender information, no message body, and any of these possible subjects:

  • $150 FREE Bonus!
  • 25 merchants and rising
  • Announcement
  • bad news
  • CALL FOR INFORMATION!
  • click on this!
  • Confirmation of Recipes�
  • Correction of errors
  • Daily Email Reminder
  • empty account
  • fantastic
  • free shipping!
  • Get 8 FREE issues - no risk!
  • Get a FREE gift!
  • Greets!
  • hello!
  • history screen
  • hmm..
  • I need help about script!!!
  • Interesting...
  • Introduction
  • its easy
  • Just a reminder
  • Lost & Found
  • Market Update Report
  • Membership Confirmation
  • My eBay ads
  • New bonus in your cash account
  • New Contests
  • new reading
  • Payment notices
  • Please Help...
  • Report
  • SCAM alert!!!
  • Sponsors needed
  • Stats
  • Today Only
  • Tools For Your Online Business
  • update
  • various
  • Warning!
  • Your Gift
  • Your News Alert

The worm has the option to pick email messages from an existing database of an infected system. It sends the forged email messages to the first 170 email addresses it finds. This worm ensures that it does not send an email to the currently infected user by checking the following registry entry for the email address that it needs to avoid:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\
Accounts\%Default Mail Account%
�SMTP Email Address�

The above registry entry usually refers to the current user�s email address.

It spoofs the FROM field of the email in two steps. First, it borrows the display name from the currently logged on user using the following registry entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Account Manager\Accounts\%Default Mail Account%
�SMTP Display Name�

Then, it composes the actual address in the FROM and TO fields from the email addresses it has found.

It prepares the email attachment to contain its encoded form with SETUP.EXE as its default file name. There are instances, however, when this worm searches the user�s personal folder and gets the first file found in the folder. It appends the extensions SCR, PIF, or EXE to the file name of the found file to obtain the attachment name. This results in attachments with double extensions.

The path of this folder is usually "C:\My Documents" or "C:\ Documents and Settings\%User Name%\My Documents" and the worm obtains it from querying this registry entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Shell Folders
Personal

Since the personal folder often contains a DESKTOP.INI file to hold customization settings for a given folder, the worm skips .INI files from the list of possible attachment names.

In the event that it does not find a file in the current user�s personal folder, it combines the following text strings with the SCR, PIF, or EXE extensions:

  • image
  • images
  • music
  • photo
  • readme
  • resume
  • Setup
  • video

This worm�s two SMTP engines differ in the way they compose email.

One SMTP engine sends the encoded version of the worm on a plain email message with the content type �application/x-msdownload�.

The other SMTP engine has a content type of �audio/x-midi� and also formats the blank message body to contain html code that exploits the Incorrect Multipurpose Internet Mail Extensions (MIME) header vulnerability, which allows attachments of HTML-formatted email messages to automatically execute when a user reads or previews the email in Microsoft Outlook or Outlook Express. When the worm is executed upon previewing the email, it installs itself on the target system without prompting the target user. The Incorrect MIME header vulnerability is known to affect Microsoft Internet Explorer 5.01 and 5.5.

Note: More information on this exploit is available in the Microsoft article, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

Local Network Infection

This worm spreads across local networks via shared folders. It has a thread that continually scans for shared network resources, which include shared folders. When it finds one, it attempts to copy itself as the following:

\\<Shared resource name>\%Startup%\<random filename>.exe

(Note: %Startup% refers to the path to the Startup folder of the infected machine. <random filename> is the same filename used by the file dropped in the Startup folder.)

It does not check the type of shared resource that it infects so that it also copies itself to other network resources such as printers. When this happens, it causes an accumulation of print jobs in the network printer queue. The print jobs associated with this worm have document sizes equal to the size of the worm.

Backdoor Server Component

This worm also behaves like a backdoor malware server. It opens port 36794 on the infected machine and allows remote users to connect to the opened port. The connecting remote users may perform any of the following actions on the infected machine:

  • Download and execute files
  • Copy/delete files
  • List running process
  • Kill running processes
  • Find/Display files
  • Setup an http server
  • Return information on the infected machine

The returned information on the infected machine are as follows:

  • Machine name
  • Currently logged on user
  • Processor type
  • Operating system version and build
  • Amount of memory available
  • Specifications of storage media (hard drives, CD-ROM drives) and mapped network resources
  • Listing of network resources visible from the infected machine � shared folders, domains, workstations, printers, etc.

Because of the complexity at which the instructions need to be sent to this backdoor server, it is possible that a client program exists to manipulate the worm.

Whenever the backdoor feature of this worm is set-off, usually when somebody attempts to connect to the listening port 36794, the following temporary files are created in the Windows temporary folder:

  • ~PHGGUM.TMP
  • ~EAYLNLF.TMP

The dropped file, ~PHGGUM.TMP, contains a 20-character string, which is used by this backdoor worm as a session ID to communicate with its client. A connecting user cannot send commands to this worm without this ID.

Antivirus Retaliation

This worm terminates the following processes, which are mostly antivirus applications, on target systems:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

Keylogger Component and Password Stealer

This worm thread is commonly triggered when the worm is first run on the system. The worm gathers cached passwords on the system using system APIs.

It also uses its .DLL file component to intercepts keystrokes made on the infected machine and saves the keystrokes encrypted into the other dropped .DLL files. This keylogger component is also detected as WORM_BUGBEAR.A.

This worm sends the stolen passwords and the logged keystrokes, together with the machine name and name of the currently logged-on user to any of the following email addresses:

  • boxhill@teach.com
  • brdlhow@ml1.net
  • c.willoughby@myrealbox.com
  • erisillen@canada.com
  • gili_zbl@yahoo.com
  • jacopo58@excite.com
  • jwwatson@excite.com
  • langobaden@excite.com
  • mannchris@gala.net
  • mshaw@hispostbox.com
  • rvre2736@fairesuivre.com
  • rwilson@singmail.com
  • sc4579@excite.com
  • sctanner@myrealbox.com
  • sdsdfsf@callme.as
  • sergio52@mac.com
  • sm2001@mail.gerant.com
  • stevechurchis@excite.com
  • stickly@login.pe.kr
  • t435556@email.it
  • vique@aggies.org
  • zr376q@yahoo.com

The subject of the notification email is the domain name obtained from the �SMTP Default Address� previously retrieved from the registry. Thus, if the default SMTP email address is �test@nowhere.com,� then the subject of the email is �nowhere.�

Other Details

The following text strings can be seen in this worm's body:

Project Tanatos




Analysis by: Daniel M. Biado

Revision History:

First pattern file version: 1.709.58
First pattern file release date: Sep 30, 2002

SOLUTION


Minimum scan engine version needed: 6.150

Pattern file needed: 2.533.02

Pattern release date: Mar 18, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_BUGBEAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems,
    refer to the note* below.
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press the End Process button.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, you need a third party process viewer, such as Process Explorer from Sysinternals. You may also continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>
  3. Windows>CurrentVersion>RunOnce
  4. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier.
  5. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system in MS-DOS mode and delete the file(s)in the Startup folder detected as WORM_BUGBEAR.A. Afterwards, restart your system in normal Windows mode.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_BUGBEAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Internet Explorer. Download and install the security patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.