Content

W32/Bugbear.gen@MM

Type
Virus
SubType
Internet Worm
Discovery Date
04/05/2004
Length
Various
Minimum DAT
4348 (04/06/2004)
Updated DAT
4761 (05/12/2006)
Minimum Engine
5.1.00
Description Added
04/06/2004
Description Modified
05/27/2004 1:14 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--- Update May 27 2004 ---

This worm drops a backdoor component (also known as Backdoor.Carool by some vendors).  It is 47,104 bytes in size and installs a keylogger on to the victims computer and and steals system information.  The keylogger component is detected as  W32/Bugbear.b.dll   and is 56,32 bytes in size.

The Backdoor component sends stolen information such as cached psswords and keystroke logs to a remote server via HTTP.

This is a generic detection for W32/Bugbear@MM variants.

At the time of writing, two new W32/Bugbear@MM variants have been reported to AVERT, both of which have been added to this detection (requiring the specified engine/DATs, and the scanning of compressed files to be enabled). These two latter variants are discussed below.

Proactive Detection

  • The MIME HTML dropper component of this worm is detected as Exploit-Codebase with the 4293 DATs or greater.
  • Gateway products running the 4308 DATs (or greater) with program heuristics enabled detect the main binary as virus or variant New Malware.b .
  • The keylogging DLL (5,632 bytes) dropped by these worms is detected as W32/Bugbear.b.dll with the 4270 DATs or greater. The captured data is encrypted and written to disk. These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Mail Propagation

  • The worm uses its own SMTP engine to construct outgoing messages.
  • Email addresses are harvested from the victim machine.
  • The From: address is spoofed (using harvested addresses, and also using strings carried within the worm).

Messages are constructed as follows:

From: spoofed
Subject: varies. May be one of various strings carried in the worm, or may be constructed using a large pool of strings.
Body: blank
Attachment: May be .PIF, .SCR or .ZIP (details below)

The latter variants received by AVERT may attach themselves directly to constructed messages. In this case the attachment will have one of the following extensions:

  • PIF
  • SCR

The attachment may also be a ZIP file, containing a MIME HTML dropper (detected as Exploit-Codebase - see above). This HTML file contains the base-64 encoded worm, together with a script which will decode, drop and execute the worm upon viewing the HTML. Please see the Exploit-Codebase description for more information.

This is a generic detection for W32/Bugbear@MM variants.

At the time of writing, two new W32/Bugbear@MM variants have been reported to AVERT, both of which have been added to this detection (requiring the specified engine/DATs, and the scanning of compressed files to be enabled). These two latter variants are discussed below.

Proactive Detection

  • The MIME HTML dropper component of this worm is detected as Exploit-Codebase with the 4293 DATs or greater.
  • Gateway products running the 4308 DATs (or greater) with program heuristics enabled detect the main binary as virus or variant New Malware.b .
  • The keylogging DLL (5,632 bytes) dropped by these worms is detected as W32/Bugbear.b.dll with the 4270 DATs or greater. The captured data is encrypted and written to disk. These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Mail Propagation

  • The worm uses its own SMTP engine to construct outgoing messages.
  • Email addresses are harvested from the victim machine.
  • The From: address is spoofed (using harvested addresses, and also using strings carried within the worm).

Messages are constructed as follows:

From: spoofed
Subject: varies. May be one of various strings carried in the worm, or may be constructed using a large pool of strings.
Body: blank
Attachment: May be .PIF, .SCR or .ZIP (details below)

The latter variants received by AVERT may attach themselves directly to constructed messages. In this case the attachment will have one of the following extensions:

  • PIF
  • SCR

The attachment may also be a ZIP file, containing a MIME HTML dropper (detected as Exploit-Codebase - see above). This HTML file contains the base-64 encoded worm, together with a script which will decode, drop and execute the worm upon viewing the HTML. Please see the Exploit-Codebase description for more information.

The following filenames may be used (for either the PIF or SCR attachment, or the .HTM within the ZIP attachment):

  • data
  • song
  • music
  • video
  • photo
  • resume
  • pics
  • image
  • images
  • news
  • Docs
  • Card
  • Setup
  • readme

Email addresses are harvested from the victim machine, from files with the following extensions:

  • ODS
  • MMF
  • NCH
  • MBX
  • EML
  • TBB
  • DBX

Keylogging

The worm drops a keylogging DLL, which it uses to captured typed keystrokes. A random filename is used for this DLL:

  • %SysDir%\xxxxxxx.dll

where x is a random ascii character.

The logged data is encrypted and written to disk in two other files (again random filenames), for example:

  • %SysDir%\CUCPPE.DLL
  • %SysDir%\NRNPPIM.DLL

These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Process Termination

Numerous processes related to anti-virus and security products are terminated by this virus.

Symptoms

The exact filenames and Registry key names used may vary between variants of this virus. Typically the worm will install itself into %SysDir% using a random filename. For example:

  • C:\WINNT\SYSTEM32\XWXPPD.EXE

A Registry key is added to hook system startup, for example:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "(random string)" = C:\WINNT\SYSTEM32\XWXPPD.EXE

Given a number of the dropped components have been detected for a while, such detections are likely to indicate the presence of a new variant of this virus.

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine. The worm spoofs the From: address of outgoing messages.

The email may carry the worm in a MIME HTML file, constructed to run the worm when the HTML is viewed. (Please see the Exploit-Codebase description for more information.)

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Carool (Symantec)
  • Bugbear.C (Panda)
  • W32.Bugbear.E@mm (NAV)

Characteristics

Characteristics -

--- Update May 27 2004 ---

This worm drops a backdoor component (also known as Backdoor.Carool by some vendors).  It is 47,104 bytes in size and installs a keylogger on to the victims computer and and steals system information.  The keylogger component is detected as  W32/Bugbear.b.dll   and is 56,32 bytes in size.

The Backdoor component sends stolen information such as cached psswords and keystroke logs to a remote server via HTTP.

This is a generic detection for W32/Bugbear@MM variants.

At the time of writing, two new W32/Bugbear@MM variants have been reported to AVERT, both of which have been added to this detection (requiring the specified engine/DATs, and the scanning of compressed files to be enabled). These two latter variants are discussed below.

Proactive Detection

  • The MIME HTML dropper component of this worm is detected as Exploit-Codebase with the 4293 DATs or greater.
  • Gateway products running the 4308 DATs (or greater) with program heuristics enabled detect the main binary as virus or variant New Malware.b .
  • The keylogging DLL (5,632 bytes) dropped by these worms is detected as W32/Bugbear.b.dll with the 4270 DATs or greater. The captured data is encrypted and written to disk. These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Mail Propagation

  • The worm uses its own SMTP engine to construct outgoing messages.
  • Email addresses are harvested from the victim machine.
  • The From: address is spoofed (using harvested addresses, and also using strings carried within the worm).

Messages are constructed as follows:

From: spoofed
Subject: varies. May be one of various strings carried in the worm, or may be constructed using a large pool of strings.
Body: blank
Attachment: May be .PIF, .SCR or .ZIP (details below)

The latter variants received by AVERT may attach themselves directly to constructed messages. In this case the attachment will have one of the following extensions:

  • PIF
  • SCR

The attachment may also be a ZIP file, containing a MIME HTML dropper (detected as Exploit-Codebase - see above). This HTML file contains the base-64 encoded worm, together with a script which will decode, drop and execute the worm upon viewing the HTML. Please see the Exploit-Codebase description for more information.

This is a generic detection for W32/Bugbear@MM variants.

At the time of writing, two new W32/Bugbear@MM variants have been reported to AVERT, both of which have been added to this detection (requiring the specified engine/DATs, and the scanning of compressed files to be enabled). These two latter variants are discussed below.

Proactive Detection

  • The MIME HTML dropper component of this worm is detected as Exploit-Codebase with the 4293 DATs or greater.
  • Gateway products running the 4308 DATs (or greater) with program heuristics enabled detect the main binary as virus or variant New Malware.b .
  • The keylogging DLL (5,632 bytes) dropped by these worms is detected as W32/Bugbear.b.dll with the 4270 DATs or greater. The captured data is encrypted and written to disk. These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Mail Propagation

  • The worm uses its own SMTP engine to construct outgoing messages.
  • Email addresses are harvested from the victim machine.
  • The From: address is spoofed (using harvested addresses, and also using strings carried within the worm).

Messages are constructed as follows:

From: spoofed
Subject: varies. May be one of various strings carried in the worm, or may be constructed using a large pool of strings.
Body: blank
Attachment: May be .PIF, .SCR or .ZIP (details below)

The latter variants received by AVERT may attach themselves directly to constructed messages. In this case the attachment will have one of the following extensions:

  • PIF
  • SCR

The attachment may also be a ZIP file, containing a MIME HTML dropper (detected as Exploit-Codebase - see above). This HTML file contains the base-64 encoded worm, together with a script which will decode, drop and execute the worm upon viewing the HTML. Please see the Exploit-Codebase description for more information.

The following filenames may be used (for either the PIF or SCR attachment, or the .HTM within the ZIP attachment):

  • data
  • song
  • music
  • video
  • photo
  • resume
  • pics
  • image
  • images
  • news
  • Docs
  • Card
  • Setup
  • readme

Email addresses are harvested from the victim machine, from files with the following extensions:

  • ODS
  • MMF
  • NCH
  • MBX
  • EML
  • TBB
  • DBX

Keylogging

The worm drops a keylogging DLL, which it uses to captured typed keystrokes. A random filename is used for this DLL:

  • %SysDir%\xxxxxxx.dll

where x is a random ascii character.

The logged data is encrypted and written to disk in two other files (again random filenames), for example:

  • %SysDir%\CUCPPE.DLL
  • %SysDir%\NRNPPIM.DLL

These files are detected as W32/Bugbear.b!data with the 4308 DATs or greater.

Process Termination

Numerous processes related to anti-virus and security products are terminated by this virus.

Symptoms

Symptoms -

The exact filenames and Registry key names used may vary between variants of this virus. Typically the worm will install itself into %SysDir% using a random filename. For example:

  • C:\WINNT\SYSTEM32\XWXPPD.EXE

A Registry key is added to hook system startup, for example:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "(random string)" = C:\WINNT\SYSTEM32\XWXPPD.EXE

Given a number of the dropped components have been detected for a while, such detections are likely to indicate the presence of a new variant of this virus.

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine. The worm spoofs the From: address of outgoing messages.

The email may carry the worm in a MIME HTML file, constructed to run the worm when the HTML is viewed. (Please see the Exploit-Codebase description for more information.)

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A