TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
PE_BUGBEAR.B
Overview
Solution

Malware type: File Infector

Aliases: W32.Bugbear.B@mm(Symantec), W32/Bugbear-B(Sophos), Email-Worm.Win32.Tanatos.b(Kaspersky), Worm/Bugbear.B(Avira), W32/Bugbear.B@mm(F-Prot), W32/Bugbear.69916@MM(McAfee)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000 and XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This polymorphic file-infecting variant of WORM_BUGBEAR.A contains all the functionalities of the earlier malware, including certain backdoor capabilities.

This worm opens port 1080 to allow remote users to connect to and manipulate affected systems. It also terminates certain antivirus programs, sends a lot of information to the network printer, and creates a mutex object named w32shamur.

This worm uses its own SMTP engine to send email to addresses it gathers from infected machines. Its email messages contain an exploit that allows attachments to automatically execute when the messages are viewed or previewed in Microsoft Outlook and Outlook Express. The vulnerability exploit affects systems with unpatched Internet Explorer 5.01 and 5.5. More information on the exploit is available on the Microsoft Security Bulletin article Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

This worm sends email with the following details:

Subject: <any of these pre-defined subjects or taken from existing or incoming email messages>

• Get 8 FREE issues - no risk!
• Hi!
• Your News Alert
• $150 FREE Bonus!
• Re:
• Your Gift
• New bonus in your cash account
• Tools For Your Online Business
• Daily Email Reminder
• News
• free shipping!
• its easy
• Warning!
• SCAM alert!!!
• Sponsors needed
• new reading
• CALL FOR INFORMATION!
• 25 merchants and rising
• Cows
• My eBay ads
• empty account
• Market Update Report
• click on this!
• fantastic
• wow!
• bad news
• Lost & Found
• New Contests
• Today Only
• Get a FREE gift!
• Membership Confirmation
• Report
• Please Help...
• Stats
• I need help about script!!!
• Interesting...
• Introduction
• various
• Announcement
• history screen
• Correction of errors
• Just a reminder
• Payment notices
• hmm..
• update
• Hello!

Message Body: <The email body can be empty or may be taken from random text files or email messages found in the infected machine>

The email attachment file name contains any of the following strings:

  • Setup
  • Card
  • Docs
  • news
  • image
  • images
  • pics
  • resume
  • photo
  • video
  • music
  • song
  • data
  • readme

The attachment may contain a double extension file name, e.g., ATTACHMENT.JPG.EXE. The base name and its first extension is obtained from the document file taken from the infected host. The first extension name could be any of the following:

  • GIF
  • JPG
  • JPEG
  • BMP
  • EXE
  • COM
  • SYS
  • VXD
  • DLL
  • CPL
  • HTM
  • HTML
  • C
  • CPP
  • TXT
  • DIZ
  • H
  • BAT
  • INI
  • REG

If it finds one, it may take the name of any file with such an extension as well as its extension, and append it with any of the following extensions (for example: ATTACH.JPG.EXE):

  • EXE
  • SCR
  • PIF

Based on the first extension name of the file attachment, this worm sets the content-type of the email attachment to any of the following:

  • image/gif
  • image/jpeg
  • text/html
  • text/plain
  • application/octet-stream

Trend Micro has received damaged samples of PE_BUGBEAR.B and created a detection for it as PE_BUGBEAR.DAM.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 4, 2003 11:55:59 PM GMT -0800
Description updated: Jun. 4, 2003 11:56:02 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.