W32/Bugbear.b@MM - Mass-Mailing Worm Alters Security Program Settings

AVERT (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates has assigned a High risk assessment to the recently discovered W32/Bugbear.B@MM, also known as Bugbear. Bugbear.B is a complex mass-mailing worm that contains many different elements and spreads via network shares and by emailing itself to addresses found in the user`s local address book. It was first discovered on Tuesday and has been and has been found in numerous countries including North America, Europe.

Bugbear is an Internet mass mailing worm that once activated, emails itself to addresses found on the local system the sender address can be spoofed, or forged, and is not a direct indication of an infected user. Additionally, it extracts addresses from file names containing these strings:

*.DBX
*.EML
*INBOX
*.MBX
*.MMF
*.NCH
*.ODS
*.TBB

Bugbear spreads using network shares and by mailing itself using the default SMTP engine. Users will know that they have been infected by the presence of non-standard .EXE file in the startup folder and that the system will be listening on TCP Port 1080. It also contains a long list of domain names, seemingly for email forging purposes that include:

* 1natbanker.com
* 1nationalbank.com
* 1stfederal.com
* 1stnatbank.com
* 1stnationalbank.com
* 365online.com 53.com

Because Bugbear utilizes numerous subject headers, users should immediately delete email containing the following: Subject:

* Announcement
* Daily Email Reminder
* fantastic
* free shipping!
* Get 8 FREE issues - no risk!
* Get a FREE gift!
* Hello!
* Hi!
* hmm..
* Interesting...
* Introduction
* Just a reminder
* Lost & Found
* Market Update Report

To view the complete list of potential email subject lines, please visit the description page on AVERT`s site at: http://vil.nai.com/vil/content/v_100358.htm.

The message body and attachment name vary and may contain fragments of files found on the victim`s system. The attachment name also varies, but may contain the following strings:

* Card
* Docs
* image
* images
* music
* news
* photo
* pics
* readme
* resume
* Setup
* song
* video

Once Bugbear infects a computer system, it will attempt to terminate the process of the system`s security programs. For example:

* ACKWIN32.exe
* ANTI-TROJAN.exe
* AUTODOWN.exe
* AVE32.exe
* AVKSERV.exe
* AVPDOS32.exe
* AVPM.exe
* BLACKICE.exe
* SAFEWEB.exe
* SCANPM.exe
* SCRSCAN.exe
* SERV95.exe
* VET95.exe
* VETTRAY.exe
* VSCAN40.exe
* ZONEALARM.exe

To view the complete list security programs affected, please visit the description page on AVERT`s site at: http://vil.nai.com/vil/content/v_100358.htm.

Additionally, Bugbear.b contains a polymorphic parasitic file infector, meaning that the virus changes with each infection. It retrieves the path to the Program Files directory from the registry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ProgramFilesDir

It also tries to infect multiple files including:

* hh.exe
* mplayer.exe
* notepad.exe
* regedit.exe
* scandskw.exe
* winhelp.exe
* ACDSee32ACDSee32.exe
* AdobeAcrobat 4.0ReaderAcroRd32.exe
* adobeacrobat5.0eaderacrord32.exe
* AIM95aim.exe
* CuteFTPcutftp32.exe

Immediate information and cure for this virus can be found online at the McAfee AVERT site at http://vil.nai.com/vil/content/v_100358.htm. McAfee VirusScan users should update their systems from that page and use the 4270 DAT file to stop potential damage.