TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_BUGBEAR.A
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.Tanatos.a (Kaspersky), W32.Bugbear@mm (Symantec), Worm/Bugbear.1 (Avira), W32/Bugbear-A (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm propagates via shared network folders and via email. It also terminates antivirus programs, acts as a backdoor server application, and sends out system passwords and logged keystrokes – all of which compromise security on infected machines.

As a backdoor, this worm allows remote users to connect to infected systems via port 36794 and obtain information, manipulate files, and execute programs on the infected systems.

The email messages that this worm sends out contain no messages and can have any of the following subjects:

  • $150 FREE Bonus!
  • 25 merchants and rising
  • Announcement
  • bad news
  • CALL FOR INFORMATION!
  • click on this!
  • Confirmation of Recipes…
  • Correction of errors
  • Daily Email Reminder
  • empty account
  • fantastic
  • free shipping!
  • Get 8 FREE issues - no risk!
  • Get a FREE gift!
  • Greets!
  • hello!
  • history screen
  • hmm..
  • I need help about script!!!
  • Interesting...
  • Introduction
  • its easy
  • Just a reminder
  • Lost & Found
  • Market Update Report
  • Membership Confirmation
  • My eBay ads
  • New bonus in your cash account
  • New Contests
  • new reading
  • Payment notices
  • Please Help...
  • Report
  • SCAM alert!!!
  • Sponsors needed
  • Stats
  • Today Only
  • Tools For Your Online Business
  • update
  • various
  • Warning!
  • Your Gift
  • Your News Alert

This worm spoofs the FROM field and obtains the recipients for its email from email messages, address books, and mail boxes on the infected system.

The email attachment contains the encoded form of the worm, with SETUP.EXE as its default file name. There are instances, however, when this worm searches the user’s personal folder (usually My Documents) and gets the first file found in the folder. It appends the extensions SCR, PIF, or EXE to the file name of the found file to obtain the attachment name. This results in attachments with double extensions.

In the event that it does not find a file in the current user’s personal folder, it combines the following text strings with the SCR, PIF, or EXE extensions:

  • image
  • images
  • music
  • photo
  • readme
  • resume
  • Setup
  • video

On systems with unpatched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.

Due to its network propagation routine, this worm can also cause print jobs to accumulate in network printer queues.

This worm runs on Windows 95, 98, ME, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 30, 2002 10:32:08 AM GMT -0800
Description updated: Oct. 7, 2002 9:04:35 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.