McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bibrog@mm (Symantec)

• W32/Bibrog@MM

Characteristics

This mass-mailing worm uses sends itself to all users found in the Outlook Address Book using MAPI. It poses as a Big Brother game and contains a destructive payload. Due to hard coded path names, the virus will not spread or carry out its payload on most WinNT/2K/XP systems. The worm arrives in an email message containing the following information:

        Subject: BigBrother Mexico Shooter
          Body: BigBrother Mexico Shooter Atinale a todos
Attachment: bigburros.exe

When the attachment is run, a shooting game is displayed:

The game functions as expected, only the virus is working in the background performing the following tasks:

1. Copies itself to the START UP folder as ITCH.EXE
2. Copies itself to the WINDOWS (%WinDir%) directory as bigburros.exe
3. Copies itself to the SYSTEM (%SysDir%) directories as BigBrother.exe
4. Creates a text file, %WinDir%\bigbrother.txt

Upon reboot, the ITCH.EXE file is run, which results in the creation of 2 marker registry keys:

• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\yezz\varia "cuento"
• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\yezz\varia "UpdateRegistry"

These registry keys monitor the number of times that the virus has run when using the name ITCH.EXE. Therefore, the first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads:

1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped one of them is set as the desktop wallpaper

   

   

   All .GIF, .HTML, .JPG, and .ZIP files on the local system are deleted.

2. The third time ITCH.EXE is run, the virus sets the desktop wallpaper again, and deletes all .DLL, .EXE, .MP3, and .MPG files on the local system.

Symptoms

Presence of the following files:

• %WinDir%\bigbrother.txt
• %WinDir%\bigburros.exe
• %WinDir%\facult.bmp
• %WinDir%\mavs.bmp
• %WinDir%\START MENU\PROGRAMS\START UP\itch.exe
• %WinDir%\MENŮ INICIO\PROGRAMAS\INICIO\itch.exe
• %SysDir%\BigBrother.exe

Method of Infection

This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted. Since the virus uses hard coded paths to the START UP folder, it does not function the same where the following paths do not exist:

• %WinDir%\START MENU \PROGRAMS\START UP\
• %WinDir%\MENŮ INICIO\PROGRAMAS\INICIO\

These paths are typically found only on Win9x/ME systems.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bibrog@mm (Symantec)

• W32/Bibrog@MM

Characteristics

Characteristics -

This mass-mailing worm uses sends itself to all users found in the Outlook Address Book using MAPI. It poses as a Big Brother game and contains a destructive payload. Due to hard coded path names, the virus will not spread or carry out its payload on most WinNT/2K/XP systems. The worm arrives in an email message containing the following information:

        Subject: BigBrother Mexico Shooter
          Body: BigBrother Mexico Shooter Atinale a todos
Attachment: bigburros.exe

When the attachment is run, a shooting game is displayed:

The game functions as expected, only the virus is working in the background performing the following tasks:

1. Copies itself to the START UP folder as ITCH.EXE
2. Copies itself to the WINDOWS (%WinDir%) directory as bigburros.exe
3. Copies itself to the SYSTEM (%SysDir%) directories as BigBrother.exe
4. Creates a text file, %WinDir%\bigbrother.txt

Upon reboot, the ITCH.EXE file is run, which results in the creation of 2 marker registry keys:

• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\yezz\varia "cuento"
• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\yezz\varia "UpdateRegistry"

These registry keys monitor the number of times that the virus has run when using the name ITCH.EXE. Therefore, the first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads:

1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped one of them is set as the desktop wallpaper

   

   

   All .GIF, .HTML, .JPG, and .ZIP files on the local system are deleted.

2. The third time ITCH.EXE is run, the virus sets the desktop wallpaper again, and deletes all .DLL, .EXE, .MP3, and .MPG files on the local system.

Symptoms

Symptoms -

Presence of the following files:

• %WinDir%\bigbrother.txt
• %WinDir%\bigburros.exe
• %WinDir%\facult.bmp
• %WinDir%\mavs.bmp
• %WinDir%\START MENU\PROGRAMS\START UP\itch.exe
• %WinDir%\MENŮ INICIO\PROGRAMAS\INICIO\itch.exe
• %SysDir%\BigBrother.exe

Method of Infection

Method of Infection -

This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted. Since the virus uses hard coded paths to the START UP folder, it does not function the same where the following paths do not exist:

• %WinDir%\START MENU \PROGRAMS\START UP\
• %WinDir%\MENŮ INICIO\PROGRAMAS\INICIO\

These paths are typically found only on Win9x/ME systems.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A