Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Bugbear.B | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Bugbear.B |
| Technical name: | W32/Bugbear.B |
| Threat level: | Medium |
| Alias: | W32/Bugbear.b@mm,, Bugbear.B, PE_BUGBEAR.B, W32.Kijmo, W32.Shamur, Win32.Bugbear.B |
| Type: | Virus |
| Effects: | It infects a large number of files on affected computers, it ends processes belonging to security programs, opens the port 1080, captures keystrokes and allows a hacker to gain remote access to the resources of the computer. |
| Affected platforms:
| Windows XP/2000/NT/ME/98/95 |
| First detected on: | June 5, 2003 |
| Detection updated on: | May 14, 2009 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
| Repair utility: | Panda QuickRemover |
Brief Description | |
Bugbear.B is dangerous worm that spreads via e-mail and across shared network drives. It is very easy to become infected by this worm, as it is automatically activated when the message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. However, Bugbear.B does not always exploit this vulnerability in order to affect the computer. Bugbear.B carries out the following actions in affected computers: It sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
ifrbr@canada.com, sdorad@juno.com, fbnfgh@email.ro, eruir@hotpop.com, ersdes@truthmail.com, eofb2@blazemail.com, ioter5@yook.de, iuery@myrealbox.com, jkfhw@wildemail.com and ds2iahf@kukamail.com. It infects a large number of files. It disables security programs. It opens port 1080, which allows hackers to gain remote access to the affected computer. It logs the keystrokes in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The logged information is sent when the data saved exceeds 25,000 bytes or every two hours.
Bugbear.B is a polymorphic worm, which makes it difficult for antivirus programs to detect. |
Visible Symptoms | |
Bugbear.B is difficult to recognize, as it does not display any warnings or messages that indicate that it has infected a computer. When spreading across shared network drives, Bugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters. |
Tech details
Effects |
Bugbear.B has the following effects: It sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
ifrbr@canada.com, sdorad@juno.com, fbnfgh@email.ro, eruir@hotpop.com, ersdes@truthmail.com, eofb2@blazemail.com, ioter5@yook.de, iuery@myrealbox.com, jkfhw@wildemail.com and ds2iahf@kukamail.com. - It infects the following files, if it finds them on the affected computer:
%windir%\SCANDSKW.EXE
%windir%\REGEDIT.EXE
%windir%\MPLAYER.EXE
%windir%\HH.EXE
%windir%\NOTEPAD.EXE
%windir%\WINHELP.EXE
%programfiles%\INTERNET EXPLORER\IEXPLORE.EXE
%programfiles%\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
%programfiles%\WINRAR\WINRAR.EXE
%programfiles%\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
%programfiles%\REAL\REALPLAYER\REALPLAY.EXE
%programfiles%\OUTLOOKEXPRESS\MSIMN.EXE
%programfiles%\FAR\FAR.EXE
%programfiles%\CUTEFTP\CUTFTP32.EXE
%programfiles%\ADOBE\ACROBAT 4.0\READER\ACRORD32.EXE
%programfiles%\ACDSEE32\ACDSEE32.EXE
%programfiles%\MSN MESSENGER\MSNMSGR.EXE
%programfiles%\WS_FTP\WS_FTP95.EXE
%programfiles%\QUICKTIME\QUICKTIMEPLAYER.EXE
%programfiles%\STREAMCAST\MORPHEUS\MORPHEUS.EXE
%programfiles%\ZONE LABS\ZONEALARM\ZONEALARM.EXE
%programfiles%\TRILLIAN\TRILLIAN.EXE
%programfiles%\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
%programfiles%\AIM95\AIM.EXE
%programfiles%\WINAMP\WINAMP.EXE
%programfiles%\DAP\DAP.EXE
%programfiles%\ICQ\ICQ.EXE
%programfiles%\KAZAA\KAZAA.EXE
%programfiles%\WINZIP\WINZIP32.EXE)
where %windir% is the Windows directory and %programfiles% is the Program files directory. These files belong to different computer applications, which will not stop working. However, whenever one of these applications is run (KaZaA, Winzip, Internet Explorer, etc.), the worm will also be run. It also sometimes acts as a backdoor type Trojan, allowing a hacker to carry out the following actions on affected computers:
- List, start and end processes.
- List, copy and delete files.
- Send out files containing the keystrokes captured by the keylogger.
- Send information from the affected computer.
- List the network resources and characteristics.
- Open an HTTP server to interact remotely through a web interface. It looks for a series of processes related to antivirus and security programs. If they are enabled, it ends them. By doing this these programs will stop running. For a list of these processes, click here. It opens port 1080, which allows hackers to gain remote access to the affected computer. - It logs the keystrokes in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The keylogger information is sent when the data saved exceeds 25,000 bytes or every two hours.
|
Infection strategy
Bugbear.B creates the following files:
????.EXE in the Windows Startup directory. By creating it in this directory, Bugbear.B ensures that it is run whenever Windows is started. It obtains the path of this directory by reading the following key in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Common Startup = the user's start up directory
???????.DLL in the Windows system directory. This file is 5,632 bytes in size and is a keylogger, which captures the keystrokes entered in the affected computer. This file is detected by Panda Software as PSWBugbear.B.
~PHQGHUM.TMP or SPHQGHUM.TMP in the Windows temporary directory. The name of this file varies depending on whether it is being used by the worm or not.
It also creates other files with a DLL extension, which contain encrypted data collected or generated by the worm.
Means of transmission
Bugbear.B spreads via e-mail and across shared network drives.
1- Transmission via e-mail.
In order to spread via e-mail, Bugbear.B follows the routine below:
It reads the following entry in the Windows Registry in order to obtain the mail server:
HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Internet Account Manager
Similarly, the worm contains a list of domains with possible mail servers.
It looks for e-mail addresses in the files it finds on the affected computer which contain the following texts: DBX, TBB, EML, MBX, NCH, MMF, INBOX and ODS.
It sends a copy of itself to all the addresses it finds. In order to do this, it uses its own SMTP engine. The message has the following characteristics:
Subject: One of the following:
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
Attachments: The name of the file is extremely variable. It can be one of the following:
DATA
SONG
MUSIC
VIDEO
PHOTO
RESUME
PICS
IMAGES
IMAGE
NEWS
DOCS
CARD
SETUP
README
The file will have one or two of the following extensions EXE, SCR or PIF.
The name of the attached file can also be obtained from the files stored in the user's personal directory (indicated by the following Registry entry: KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal), or the files stored in the My Documents directory which have one of the following extensions: REG, INI, BAT, DIZ, TXT, CPP, HTML, HTM, JPEG, JPG, GIF, CPL, DLL, VXD, SYS, COM, EXE or BMP.
Bugbear.B does not send a message to any mail address that contains one of the following words:
majordom
ticket
talk
list
localdomain
localhost
nobody@
root@
postmaster@
mailer-daemon
trojan
virus
lyris
noreply
recipients
undisclosed
spam
remove
The recipient of the infected message will be affected by this worm by simply viewing the message through the Outlook Preview Pane, as Bugbear.B exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. However, Bugbear.B does not always exploit this vulnerability to carry out its infection.
2- Transmission across shared network drives.
In order to spread across shared network drives, Bugbear.B follows the routine below:
Bugbear.B checks if the affected computer is connected to a network. If it is, it looks for network drives and creates a copy of itself in the start directory of these drives.
By doing this, when the network drive is started up, it will be automatically affected by Bugbear.B.
Bugbear.B may not be able to copy itself to the Startup directory in computers with different operating systems or in different languages, as the worm assumes that the directory in the remote machine it wants to infect has the same path as the one in the local machine.
Note: When spreading across shared network drives, Bugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters.
Further Details
Other interesting characteristics of Bugbear.B are:
It is written in the programming language Visual C.
The worm is 72,192 bytes in size and it is compressed with modified UPX.
It creates a mutex and assigns it the name w32shamur in order to find out if it is running. If it is, it is not run again.
The worm incorporates a list of domains belonging to banks, among others. If the worm connects to a machine in one of these domains, Bugbear.B enables the AutoDial option by modifying an entry in the Windows Registry. By doing this, it prevents confirmation being required in order to establish network connection via modem.
