Home Contact   Privacy  Links      

Home>Tips & Articles>Remove Worms & Virus>

Remove Worm.BugBear.B

About BugBear.B

W32.Bugbear.B@mm worm is a variant of W32.Bugbear@mm. It is a mass-mailing worm that also spreads through network shares. It installs keystroke-logging program with backdoor capabilities and attempts to log users sensitive data including passwords. The worm will send collected data to one of 10 hard-coded, public Internet e-mail addresses.

The worm also sends attachment that exploits the vulnerability called Incorrect MIME Header Can Cause IE to Execute E-mail Attachment which can cause un-patched systems to auto-execute the worm when reading or previewing an infected email message.


The worm sends emails using one of the following subjects:

  • Hello!
  • update
  • hmm..
  • Payment notices
  • Just a reminder
  • Correction of errors
  • history screen
  • Announcement
  • various
  • Introduction
  • Interesting...
  • I need help about script!!!
  • Stats
  • Please Help...
  • Report
  • Membership Confirmation
  • Get a FREE gift!
  • Today Only
  • New Contests
  • Lost & Found
  • bad news
  • wow!
  • fantastic
  • click on this!
  • Market Update Report
  • empty account
  • My eBay ads
  • Cows
  • 25 merchants and rising
  • CALL FOR INFORMATION!
  • new reading
  • Sponsors needed
  • SCAM alert!!!
  • Warning!
  • its easy
  • free shipping!
  • News
  • Daily Email Reminder
  • Tools For Your Online Business
  • New bonus in your cash account
  • Your Gift
  • Re:
  • $150 FREE Bonus!
  • Your News Alert
  • Hi!
  • Get 8 FREE issues - no risk!
  • Greets!

Attachment:
The worm uses filenames in the My Documents folder location for the attachment filename, which have one of the following extensions,:

  • .reg
  • .ini
  • .bat
  • .diz
  • .txt
  • .cpp
  • .html
  • .htm
  • .jpeg
  • .jpg
  • .gif
  • .cpl
  • .dll
  • .vxd
  • .sys
  • .com
  • .exe
  • .bmp

The filename will then be concatenated with one of the following extensions

  • .scr
  • .pif
  • .exe

Besides, the filename can have one of the following words:

  • readme
  • Setup
  • Card
  • Docs
  • news
  • image
  • images
  • pics
  • resume
  • photo
  • video
  • music
  • song
  • data

Programs Infected
The worm will also infect the files on the local and network shares, which match the following filenames. The worm appends itself and is polymorphic.

  • scandskw.exe
  • regedit.exe
  • mplayer.exe
  • hh.exe
  • notepad.exe
  • winhelp.exe
  • Internet Explorer\iexplore.exe
  • adobe\acrobat 5.0\reader\acrord32.exe
  • WinRAR\WinRAR.exe
  • Windows Media Player\mplayer2.exe
  • Real\RealPlayer\realplay.exe
  • Outlook Express\msimn.exe
  • Far\Far.exe
  • CuteFTP\cutftp32.exe
  • Adobe\Acrobat 4.0\Reader\AcroRd32.exe
  • ACDSee32\ACDSee32.exe
  • MSN Messenger\msnmsgr.exe
  • WS_FTP\WS_FTP95.exe
  • QuickTime\QuickTimePlayer.exe
  • StreamCast\Morpheus\Morpheus.exe
  • Zone Labs\ZoneAlarm\ZoneAlarm.exe
  • Trillian\Trillian.exe
  • Lavasoft\Ad-aware 6\Ad-aware.exe
  • AIM95\aim.exe
  • Winamp\winamp.exe
  • DAP\DAP.exe
  • ICQ\Icq.exe
  • kazaa\kazaa.exe
  • winzip\winzip32.exe

Bank domains attack
W32.Bugbear.B@mm has functionality that specifically targets financial institutions. The worm contains a large list (over one thousand) of targeted bank domain names from around the world.

If W32.Bugbear.B@mm determines that the default e-mail address of the local system belongs to a banking company, in addition to sending the above key log file, the worm will also send cached dial-up networking passwords to the creator of the worm.

This information is sent to one of the following email addresses every two hours, or when the log file is greater than 25,000 bytes:

  • ifrbr@canada.com
  • sdorad@juno.com
  • fbnfgh@email.ro
  • eruir@hotpop.com
  • ersdes@truthmail.com
  • eofb2@blazemail.com
  • ioter5@yook.de
  • iuery@myrealbox.com
  • jkfhw@wildemail.com
  • ds2iahf@kukamail.com


Therefore, banking institutions may be considered to be at greater risk.

Anti-virus and firewall program termination
The worm attempts to close running security product processes that match the following names:

  • ZONEALARM.EXE
  • WFINDV32.EXE
  • WEBSCANX.EXE
  • VSSTAT.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • VSCAN40.EXE
  • VETTRAY.EXE
  • VET95.EXE
  • TDS2-NT.EXE
  • TDS2-98.EXE
  • TCA.EXE
  • TBSCAN.EXE
  • SWEEP95.EXE
  • SPHINX.EXE
  • SMC.EXE
  • SERV95.EXE
  • SCRSCAN.EXE
  • SCANPM.EXE
  • SCAN95.EXE
  • SCAN32.EXE
  • SAFEWEB.EXE
  • RESCUE.EXE
  • RAV7WIN.EXE
  • RAV7.EXE
  • PERSFW.EXE
  • PCFWALLICON.EXE
  • PCCWIN98.EXE
  • PAVW.EXE
  • PAVSCHED.EXE
  • PAVCL.EXE
  • PADMIN.EOUTPOST.EXE
  • NVC95.EXE
  • NUPGRADE.EXE
  • NORMIST.EXE
  • NMAIN.EXE
  • NISUM.EXE
  • NAVWNT.EXE
  • NAVW32.EXE
  • NAVNT.EXE
  • NAVLU32.EXE
  • NAVAPW32.EXE
  • N32SCANW.EXE
  • MPFTRAY.EXE
  • MOOLIVE.EXE
  • LUALL.EXE
  • LOOKOUT.EXE
  • LOCKDOWN2000.EXE
  • JEDI.EXE
  • IOMON98.EXE
  • IFACE.EXE
  • ICSUPPNT.EXE
  • ICSUPP95.EXE
  • ICMON.EXE
  • ICLOADNT.EXE
  • ICLOAD95.EXE
  • IBMAVSP.EXE
  • IBMASN.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • FRW.EXE
  • FPROT.EXE
  • FP-WIN.EXE
  • FINDVIRU.EXE
  • F-STOPW.EXE
  • F-PROT95.EXE
  • F-PROT.EXE
  • F-AGNT95.EXE
  • ESPWATCH.EXE
  • ESAFE.EXE
  • ECENGINE.EXE
  • DVP95_0.EXE
  • DVP95.EXE
  • CLEANER3.EXE
  • CLEANER.EXE
  • CLAW95CF.EXE
  • CLAW95.EXE
  • CFINET32.EXE
  • CFINET.EXE
  • CFIAUDIT.EXE
  • CFIADMIN.EXE
  • BLACKICE.EXE
  • BLACKD.EXE
  • AVWUPD32.EXE
  • AVWIN95.EXE
  • AVSCHED32.EXE
  • AVPUPD.EXE
  • AVPTC32.EXE
  • AVPM.EXE
  • AVPDOS32.EXE
  • AVPCC.EXE
  • AVP32.EXE
  • AVP.EXE
  • AVNT.EXE
  • AVKSERV.EXE
  • AVGCTRL.EXE
  • AVE32.EXE
  • AVCONSOL.EXE
  • AUTODOWN.EXE
  • APVXDWIN.EXE
  • ANTI-TROJAN.EXE
  • ACKWIN32.EXE
  • _AVPM.EXE
  • _AVPCC.EXE
  • _AVP32.EXE

Backdoor activity
The worm also opens a listening port on port 1080. The worm's creator can connect to this port and perform the following actions on your computer:

  • Delete files.
  • Terminate processes.
  • List processes and deliver the list to the worm's creator.
  • Copy files.
  • Start processes.
  • List files and deliver the list to the worm's creator.
  • Deliver intercepted keystrokes to the worm's creator in an encrypted form. This action could release confidential information typed on a computer (passwords, login details, and so on).
  • Deliver the system information to the worm's creator in the following form:
    • User: <user name>
    • Processor: <type of processor used>
    • Windows version: <Windows version, build number>
    • Memory information: <Memory available, and so on>
    • Local drives, their types (for example, fixed/removable/RAM disk/CD-ROM/remote), as well as their physical characteristics.
  • List the network resources and their types and deliver the list to the worm's creator.

How to Remove W32.Bugbear.B

The easiest way to remove W32.Bugbear.B@mm is download a tool created by Symantec to remove. We also recommends you use the following instruction to scan your computer system:

1.   Disable System Restore if your operating system is Windows Me or XP

2.   Connect to Internet and update virus definitions of your anti-virus program

3.   Restart the computer in Safe mode

4.   Disconnect all network connections, including cable and DSL

5.   Scan for and repair or delete the infected files

Remove other worms & virus:

Remove MiMail.A
Remove MiMail.C
Remove MiMail.E
Remove MiMail.F
Remove MiMail.G
Remove MiMail.I
Remove MiMail.J
Remove MiMail.L
Remove Worm Sobig
Remove Worm Swen.A
Remove Worm MSBlast (Blaster.A)
Remove MyDoom( Novarg )
Remove Worm Welchia
Remove Worm Sasser
 
 
 
 
 
 
 
Categories
PC Monitoring
Key Logger
Anti Spy Tools
Popup Blocker
Anti Spam Tools
Evidence Cleaning
 
Articles
Beyond Virus
Personal Privacy for Computer Users
Remove I-Lookup Spyware
 
 
 
© 2003 - 2004 SpyAny.com
All other trademarks are the sole property of their respective owners.