We have reports of a new worm called W32/BugBear.B which is in the wild, i.e., reported to be infecting a good number of computers. This worm is a variant of W32/BugBear.A and resembles the original worm. This worm arrives as an email attachment and can sometimes run automatically on computers running a vulnerable version of Internet Explorer. The worm sends itself by email and propagates through network shares.
Subject line and Message body:
The worm can contain the subject of an existing email on the infected computer, or else contain one of the following subjects:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!
Attachment filename:
The worm uses names taken from filenames in the My Documents folder which have one of the followibng extensions:
.reg
.ini
.bat
.diz
.txt
.cpp
.html
.htm
.jpeg
.jpg
.gif
.cpl
.dll
.vxd
.sys
.com
.exe
.bmp
Attachment size:
72,192 bytes
Details:
- If the user runs the executable, the worm sends infected emails to addresses found in the ODS, INBOX, .MMF, .NCH, MBX, EML, DBX, and INI files.
- BugBear.B also uses its own SMTP routines for propagation and spreads through network shares.
- Installs itself in the startup directories :
- Win98 : C:\WINDOWS\Start Menu\Programs\Startup\BSFS.EXE
- 2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\BSFS.EXE
- Installs a keylogger DLL and encrypts captured information
- Installs a Remote Access Trojan which listens on port 1080
- Infects various common files - this worm is also a Polymorphic Parasitic File Infector.
- Stops Security and Anti-virus software running on the infected computer
Avoidance Action:
Make sure your virus definition files are up-to-date. Block all incoming and outgoing .exe, .pif, .com, .scr files.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/virus_info/w32_bugbear_b_mm.shtml
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=133
http://vil.nai.com/vil/content/v_100358.htm
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, and Adelaide which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
