Beruflich Dokumente
Kultur Dokumente
AND
WORMS
Virus Behavior
In general, a virus has two phases, “infection phase” and “attack phase”. The first phase
is the infection phase, where the virus reproduces widely and the second is the attack
phase, where they do whatever damage they are programmed to do. Its presence can be
felt only when they activate themselves.
Infection phase
Virus writers have to balance how and when their virus should infect against the
possibility of being detected. Therefore the spread of infection may not be immediate.
This is the phase where the virus commences the acquisition of the system by first
infecting the identified target, second taking charge of the target and lastly by installing
its own command. These steps are coded in detail in the instruction code given to it by
the author.
No one knows when exactly a virus will infect other programs or in simple words when it
will activate itself. Some programs get executed each time they are executed, and some
viruses will infect upon a Trigger. You can never be sure that your system is not infected
by a virus after running an AV program a few times. This is because the virus would not
have started its infection phase. The virus writer will want his program to spread as far as
possible so that in the second phase, "The attack phase", the victim’s computer will have
a positive impact to the virus. Many viruses go resident on the memory. This provides an
upper hand for the virus, as it can wait for an external event before it starts the infection
and also the trigger used by the virus becomes hard to guess.
The resident virus frequently takes over portion of the system software to hide their
presence. This technique is called stealth.
Attack phase
Not all viruses attack, but all use system resources and often have bugs. Most of the
viruses do unpleasant things like deleting files or changing random data on your disk,
slowing down your PC, stealing passwords from the system and mailing it to a remote
email, etc. Viruses often delay revealing their presence by launching their attack only
after they have had ample opportunity to spread. This means that the attack phase can
start even after months of infection. This attack phase is optional. Many viruses simply
reproduce themselves and have no trigger for an attack phase.
Overwriting virus
The simplest virus works by locating a type of file they know how to infect (usually
.EXE or .COM) and overwriting part of the program they are infecting. When this
program is executed, the virus code executes and infects more files. These overwriting
viruses do not tend to be very successful since the overwritten program rarely continues
to function correctly and the virus is almost immediately discovered. But the
sophisticated file viruses save the original instruction when they insert their code into the
program. This allows them to execute the original program after the virus finishes so
everything appears normal.
Parasitic virus or
Cavity(space filler)virus
Parasitic virus changes the contents of the file while transferring copies of them. These
viruses are classified according to the method of their incorporation into the file. The
virus incorporation can be either at the top of the file or at the end of the file or even in
the middle. i.e. to parts of the file which are unused, also known as cavity. The
incorporation in the middle of the file is the most difficult, though there are number of
techniques to do this. Some virus compresses the transferred code so that the size of the
file is not altered. Also the necessity for a stealth algorithm would be saved. The Lehigh
virus was an early example of a cavity virus.
Companion virus
Companion virus creates a clone of the designated file, so that when the designated file is
run, its clone (i.e. virus) gets executed. This makes use of a DOS quirk that runs on COM
files before EXE files. The virus infects EXE files by installing a same-named COM file.
If abc.COM and abc.EXE are present in the same directory then on typing “abc” at the
prompt will result in the execution of the COM file and not the intended EXE file. This is
because COM files have more priority to EXE file and .BAT files. So what the virus does
here is, it will create a copy of the original file with the extension .COM and replace the
virus code inside it.
The companion virus infects your files by locating all files with names ending in EXE.
The virus then creates a matching file name ending in COM that contains the viral code.
This is because the .COM files have more priority to .EXE files. The .BAT files have a
priority less than that of the .EXE files.
File Worms
This is a modification of the companion virus. When they multiply they copy their code
to some other disk or directory and sometimes give their copies special names in order to
make the user run them first.
Tunneling Viruses
Some viruses will attempt to tunnel under anti-virus monitoring programs in order to
bypass their monitoring functions. It finds the original program-interrupt handlers in DOS
and BIOS and calls them directly. It thus bypasses any activity monitoring program
which may be loaded and which can interpret the respective interrupt vectors in its
attempt to detect viral activity. Some antivirus programs will attempt to detect this and
then reinstall themselves under the virus. This might cause an interrupt war between the
anti-virus program and the virus and result in problems on your system. Some anti-virus
programs also use tunneling techniques to bypass any viruses that might be active in
memory when they load.
Camouflage Viruses
When scanners were less sophisticated it might have been possible for a virus to sneak by
as scanners sometimes did not display some alarms, knowing them to be false. This type
of virus would be extremely hard to write today. When anti-virus scanners were based
completely on signatures there was always the possibility of a false alarm when the
signature was found in some uninfected file (a statistical possibility). So the anti-virus
programmers used some sort of a logic that under right circumstances would ignore a
virus signature and not issue an alarm. While this "skip it" logic would stop the false
alarms, it opened a door for virus writers to attempt to camouflage their viruses so that
they included the specific characteristics the anti-virus programs were checking for and
thus have the anti-virus program ignore that particular virus. Anyway this type of virus is
difficult to code and not very common. Recent virus scanners not only check for virus
signatures but also check for their checksum details and integrity.
We all know very well that renaming a .BAT file to .COM file will result in nothing but
errors. But this is not the case when label is used. The text up to the label converts to
instructions the CPU can execute, but they do nothing. The CPU interprets the label as
instructions that cause the CPU to look ahead to the binary instructions in the batch file.
These binary instructions are the real virus (or virus dropper). The easiest way to identify
a Batch file virus is to see for files that are several thousand bytes long yet when you use
the DOS command TYPE to display it to the screen you only see a few lines, that is a tip-
off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file
portion and the binary instruction portion.
Sparse Infectors
This type of virus uses any one of a variety of techniques to minimize detection of its
activity. For example, this virus may only infect every 20th time a file is executed or it
might only infect files whose lengths are within narrowly defined ranges or whose names
begin with letters in a certain range of the alphabet, etc.
BOOT VIRUSES
Boot viruses either save themselves in the disk boot sector, or to the master boot record
(MBR), or change the pointer to an active boot sector. They infect the boot sector of a
floppy disk and the boot sector or MBR of a hard disk. They are mostly written in
assembly language. BRAIN is the first DOS virus. It also has the distinction of being the
first stealth virus.
Parity boot
Its payload displays the message Parity Check and freezes the OS, rendering the system
inoperable. This message is taken from an actual error message, which is displayed when
the memory is faulty. Consequently, the user of the computer is led to believe that his
memory is faulty rather than a disruptive virus infection.
Boot-and-file virus or
Multipartite viruses
These types of viruses have dual property. These viruses affect both files and boot
sectors. Tequila, Empire, 4096, stoned and Michelangelo are examples of this type of
virus. These viruses are also called Multi partite virus.
Macro Viruses
Pure data files cannot propagate viruses. But with extensive macro language programs
the line between the data file and the executable file can easily become blurred to the
average user. Pure data files are not viruses as they cannot be executed.
These viruses normally spread through the internet. You may get an attachment with a
message which when opened is programmed to run the macro automatically and infect
the computer. Macro viruses infect document files, electronic spread sheets and databases
of a number of commonly used software packages.
Network Viruses
Networking viruses extensively use networking protocols and capabilities of local and
global access networks to multiply. The operating principle of the network virus is its
capability to transfer its code to a remote server or workstation on its own. Full-scale
network viruses are capable of running their code on remote computers and/or pushing
the user to run the infected file.
Best examples of this virus would be: Morris virus, Christmas Tree, Wank Worm.
The characteristics of these viruses were:
⇒ Accessed address of other computers and send copies of themselves to those
addresses.
⇒ Created temporary files on system disks
⇒ Infiltrated computer memory from the networks
⇒ Spread across a computer network.
The errors in networking protocols were fixed only after a few epidemics broke out.
OPERATING SYSTEM VIRUSES
Each file or network virus infects files of one particular or several OS:
⇒ DOS
⇒ Windows 3.xx
⇒ Windows 95/NT/2000
⇒ OS/2, etc.
Stealth Viruses
A virus must change things in order to infect a system. In order to avoid detection, a virus
will often take over system functions likely to spot it and use them to hide itself. A virus
may or may not save the original of things it changes so using anti-virus software to
handle viruses is always the safest option. A virus, by its nature, has to modify something
in order to become active. Unless the virus takes over portions of the system in order to
manage accesses to the changes it made, these changes will become visible and the virus
will be exposed. A stealth virus hides the modifications it makes. It does this by taking
over the system functions which read files or system sectors and, when some other
program requests information from portions of the disk the virus has changed, the virus
reports back the correct (unchanged) information instead of what's really there (the virus).
Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the
system is started (booted) from a known-clean floppy disk. When this happens, the virus
does not gain control over the system and the changes and virus are immediately
available to be seen and dealt with. Monkey is an example of Stealth virus.
Armored virus
Armored is a class that overlaps other classes of viruses, maybe multiple times. Basically,
an armored virus uses special "tricks" designed to foil anti-virus researchers. Any
antivirus researcher who wants to find out how a virus works must follow the instruction
codes in the virus. By using a variety of methods, virus writers can make this disassembly
task quite a bit more difficult. This usually makes the virus larger as well. An early virus,
Whale, made extensive use of these techniques.
Polymorphic Viruses
Polymorphic viruses produce varied but operational copies of itself by self-encryption
with a variable key to avoid detection by the virus scanners. There are even virus-writing
toolkits available to help make these viruses. To confound virus scanning programs, virus
writers created polymorphic viruses. These viruses are more difficult to detect by
scanning because each copy of the virus looks different than the other copies.
Virus Droppers
A dropper is a program that, when run will attempt to install a regular virus onto your
hard disk.
Dropper is a program designed to run and install (or "drop") a virus onto your system.
The program itself is not infected nor is it a virus because it does not replicate. So,
technically, a dropper should be considered a Trojan.
Often, because the virus is hidden in the program code, a scanner will not detect the
danger until after the virus is dropped onto your system. It's technically possible to write
a virus that also drops other viruses.
Logic Bombs
Just like a real, a logic bomb will lie dormant until triggered by some event. The trigger
can be a specific date, the number of times a particular file is executed, or even a specific
event such as when the hours, minutes and the seconds in the system clock coincide, etc.
After the bomb is triggered, it can do anything from changing a random block of data on
your disk to making the entire disk unreadable.
Virus Hoax
We have gone into great detail, explaining some of the terrible things to watch out for
with regards to viruses. We’ve also told you what some of the effects of a virus can be,
from being an annoyance on your computer, to wiping out your hard drive, destroying
your data. While viruses can be nasty things that do untold damage to your personal or
work computers, there are a few things you should be aware of.
First, not all viruses are viruses. In fact, sometimes the things that can cause the most
problems for you are the hoaxes.
You get an email from someone you know saying something like “there’s a virus on your
computer that your virus scanning software can’t remove!” Within the email are very
detailed instructions on what to look for and what to do with the virus when you find it –
and believe me you will find it.
Sounds scary doesn’t it? I mean, someone you know telling you that you ARE in fact
infected with a virus so sneaky that you’re brand new and up to date virus scanning
software with web trap, real time scanning and 1 billion virus signature dictionary can’t
find. And when you check, you will indeed find the “infected” file.
So, the first question is, how did the virus scanner miss it? After all, you have been
religiously updating your scanning software whenever a patch comes out right? And
you’ve scheduled weekly scans of all your drives right? So how did it miss it?
Simple; it’s not a virus, it’s a hoax.
The Worms
Worms are one type of particularly malicious code that can cause major damage to the
files, software, and data on your computer. They are sneaky and prolific, sometimes
copying themselves until they clog your system. While these tricky intruders can be
particularly difficult to detect, here is some information that may help you get the hook
into that worm.
• They are deceiving. Worms are often sent via email, disguised as a benign
attachment or game. For example, the Melissa worm used email address books to
send itself as an email from a friend. Recipients recognized and trusted the sender
and, therefore, opened the email attachment.
• They can cause serious damage. In recent cases, worms have carried a malicious
payload that was capable of doing serious damage to computer data. Some worms
rename and hide your files so they are inaccessible, others keep the file name and
path but overwrite the data. Files can even be replaced with versions of the worm.
Deleted files can often be retrieved later -but not so if a worm overwrites them.
• They are easy to create. The code for creating worms can be found on Web
pages and Usenet groups dedicated to the topic. For anyone who knows basic
programming and where to look for information, creating a worm is not that
difficult.
Details
CIH is a virus that infects the 32-bit Windows 95/98/NT executable files, but can
function only under Windows 95/98 and ME. It does not function under Windows NT or
Windows 2000. When an infected program is run under Windows 95/98/ME, the virus
becomes resident in memory.
Although Windows NT system files can be infected, the virus cannot become resident or
infect files on a computer running Windows NT or Windows 2000. The virus does not
function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is
resident, the CIH virus infects other files when accessed.
The files infected by CIH may have the same size as the original files, due to the unique
infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it
breaks itself up into smaller pieces and inserts its code into these unused spaces. When
NAV repairs a file infected by CIH, it looks for these small viral pieces and removes
them from the file.
The first payload of CIH virus overwrites the hard disk with random data, starting at the
beginning of the disk (sector 0) using an infinite loop. The overwriting of the sectors does
not stop until the system has crashed. As a result, the computer will not boot from the
hard disk or floppy disk. Also, the data that has been overwritten on the hard disk will be
very difficult or impossible to recover. You must restore the data from backups.
The second payload tries to cause permanent damage to the computer. This payload
attacks the Flash BIOS (a part of your computer that initializes and manages the
relationships and data flow between the system devices, including the hard drive, serial
and parallel ports, and the keyboard) and tries to corrupt the data stored there. As a result,
nothing may be displayed when you start the computer. A computer technician would
need to fix this.
Download:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/k
ill_cih.exe
Win32/Explore.Zip Virus
ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself and enable further
propagation.
Details
ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself and enable further
propagation. Once installed, the program may also behave as a worm, and it may be able
to propagate itself, without any human interaction, to other networked machines that have
certain writable shares. The ExploreZip Trojan horse has been propagated between users
in the form of email messages containing an attached file named zipped_files.exe. Some
email programs may display this attachment with a "WinZip" icon. The body of the email
message usually appears to come from a known email correspondent, and typically
contains the following text:
☺ The program does not appear to delete files with the "hidden" or "system"
attribute, regardless of their extension.
Precautions
⇒ Blocking Netbios traffic at your network border may help prevent propagation via
shares from outside your network perimeter.
⇒ Disable file serving on workstations. You will not be able to share your files with
other computers, but you will be able to browse and get files from servers. This
will prevent your workstation from being infected via file sharing propagation.
⇒ Maintain a regular, off-line, backup cycle.
If you receive email with a subject line with the phrase ILOVEYOU (all one word, no spaces) in
it… DON'T OPEN the attachment named Love-Letter-For-You.txt.vbs.
Discovered in May 2000, this virus spreaded across Asia, Europe and the United States
via e-mail messages titled "ILOVEYOU." The menace clogged Web servers, overwrote
personal files and caused corporate IT managers to shut down e-mail systems.
If your computer is infected you can delete the following files from your infected system:
Payload
Distribution
Details
As its primary payload, the virus attempts to use Microsoft Outlook to email a copy of
the infected document to up to 40 other people. When a user opens or closes an infected
document, the virus first checks to see if it has done this mass emailing once before by
checking the following registry key:
If this key has a value "MP" set to the value "...by 22" then the mass emailing has been
done previously from the current machine. The virus will not attempt to do the mass
mailing a second time if it has already been done from this machine.
If it does not find the registry entry, it will do the email payload just like
W97M.Melissa.A. The difference is that it only sends to up to 40 addresses, the subject
line is "My Pictures USERNAME" where USERNAME is taken from a Microsoft Word
setting, and the email message is now blank.
The second payload now replaces the currently selected text of the document with:
Opening Microsoft Outlook...
Hint: Get Norton 2000 not McAfee 4.02
This variant also has a malicious payload that attempts to delete files from the root
directory of drives F, H, I, L, M, N, O, P, Q, S, X, and Z.
Removal
The additional Windows Registry value presents no harm. In fact, if it's already set to "by
22", it will prevent the mass emailing. If you'd like, you can easily remove this registry
value using Windows REGEDIT utility.
Pretty Park
This worm program behaves similarly to Happy99 Worm. It was originally spread by
email. When the attached program file, PrettyPark.exe, is executed, it may display the 3D
pipe screen saver.
Type Worm
Systems not affected DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000,
Windows NT, Windows XP
Distribution
Details
PrettyPark.Worm is a worm that performs similarly to Happy99.Worm. This worm was
originally spread through a mass emailing. The program file attached to these email is
named PrettyPark.exe. When PrettyPark.exe is executed, it may display the Windows 3D
Pipes screen saver. It also does the following:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
• It tries to email itself, every 30 minutes, to addresses in your Internet address
book.
• It tries to connect to an IRC server and join a specific IRC channel. If it is
successful, the worm sends information to this IRC channel every 30 seconds to
keep itself connected and to retrieve any commands. By using IRC, the author or
distributor of the worm can access information on your system including:
• Computer name
• Product name
• Product identifier
• Product key
• Registered owner
• Registered organization
• System root path
• Version number
• ICQ identification numbers
• ICQ nicknames
• Your email address
• Dial-Up networking user name and passwords
In addition, being connected to IRC opens a security hole in which your computer
can potentially be used to receive and execute files.
Removal Tool
The easiest way to remove this worm is to use the Fix PrettyPark.Worm tool.
Download:
http://service1.symantec.com/sarc/sarc.nsf/info/html/fix.prettypark.html
Type Worm
Distribution
Target of infection: Unpatched systems running Microsoft Index 2.0 or Windows 2000
Indexing Service.
Details
The worm sends its code as an HTTP request. The HTTP request exploits a known
buffer-overflow vulnerability, which allows the worm to run on your computer. The
malicious code is not saved as a file, but is inserted into and then run directly from
memory.
Once run, the worm checks for the file, C:\Notworm. If this file exists, the worm does not
run and the thread goes into an infinite sleep state.
If the C:\Notworm file does not exist, then new threads are created. If the date is before
the 20th of the month, the next 99 threads attempt to exploit more computers by targeting
random IP addresses. To avoid looping back to infect the source computer, the worm will
not make HTTP requests to the IP addresses 127.*.*.* .
If the default language of the computer is American English, further threads cause Web
pages to appear defaced. First, the thread sleeps for two hours, and then hooks a function,
which responds to the HTTP requests. Instead of returning the correct Web page, the
worm returns its own HTML code.
The HTML displays:
Welcome to http:// www.worm.com !
Hacked By Chinese!
This hook lasts for 10 hours and is then removed. However, re-infection or other threads
can rehook the function.
Two versions of this worm have been in the wild. The second version does not cause the
Web pages to be defaced.
Also, if the date is between the 20th and 28th of the month, the active threads then
attempt a Denial of Service (DoS) attack on a particular IP address, by sending large
amounts of junk data to port 80 (Web service) of 198.137.240.91, which was
www.whitehouse.gov. This IP address has been changed and is no longer active.
Finally, if the date is later than the 28th of the month, the worm's threads are not run, but
are directed into an infinite sleep state. This multiple-thread creation can cause computer
instability.
Removal Instructions
Symantec Security Response has created a tool to perform a vulnerability assessment of
your computer and to remove the CodeRed Worm and CodeRed II.
http://www.symantec.com/avcenter/venc/data/codered.removal.tool.html
W32/Klez
Virus also known as W32/Klez.e@MM,W32/Klez.h@MM,
W32/Klez.gen@MM,WORM_KLEZ.E, WORM_KLEZ.G,
I-Worm.Klez.e, I-Worm.Klez.h, W32/Klez-E, W32/Klez-
G, W32/Klez-H
Systems affected Windows 95, Windows 98, Windows NT, Windows 2000,
Windows XP, Windows Me
Systems not affected DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX
Distribution
Details
W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for
email addresses and sends messages to all the recipients that it finds. The worm uses its
own SMTP engine to send the messages.
The subject and attachment name of the incoming emails are randomly chosen. The
attachment will have one of the extensions: .bat, .exe, .pif, or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express to try
execute itself when you open or preview the message. W32.Klez.gen@mm attempts to
copy itself to all the network-shared drives that it finds.
Depending on the variant of the worm, it will drop one of the following viruses:
• W32.Elkern.3326
• W32.Elkern.3587
• W32.Elkern.4926
Email spoofing
Some variants of this worm use a technique known as "spoofing" by which the worm
randomly selects an address it finds on an infected computer. The worm uses this address
as the "From" address when it performs its mass-mailing routine. Numerous cases have
been reported in which users of uninfected computers received complaints that they sent
an infected message to another individual.
If you are using a current version of Norton AntiVirus and you have the most recent virus
definitions, and a full system scan with Norton AntiVirus, which is set to scan all the
files, does not find anything, your computer is not infected with this worm.
Removal
Symantec Security Response has developed a tool to remove all the known infections of
W32.Klez and W32.ElKern. Try this tool first, as it is the easiest way to remove the
threats.
Download tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
BugBear
• A variant of W32.Bugbear@mm.
• A mass-mailing worm that also spreads through network shares.
• Polymorphic and also infects a select list of executable files.
• Possesses keystroke-logging and Backdoor capabilities.
• Attempts to terminate the processes of various antivirus and firewall programs.
Systems affected Windows 95, Windows 98, Windows NT, Windows 2000,
Windows XP, Windows Me
Systems not affected DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX
Distribution
Details
When W32.Bugbear.B@mm runs, it copies itself to the \Startup folder as a filename,
which is composed of a few characters, such as ????.exe, where the question mark
symbol (?) represents the letters that the worm chooses.
For example, the worm may copy itself as:
Mass-mailing routine
When the mass-mailing routine runs, it does the following:
1. Searches for the email addresses in the current Inbox, as well as in the files with
the following extensions:
• .mmf , .nch , .mbx , .eml , .tbb , .dbx , .ocs
2. Retrieves the current user's email address and SMTP server from the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account
Manager\Accounts
3. Uses its own SMTP engine to send itself to all the email addresses it finds. As
part of the routine, the worm spoofs the From: address.
The worm can reply or forward an existing message, or create a new message with one of
the following subject lines:
• Hello!
• update
• hmm..
• Payment notices
• Just a reminder
• Correction of errors
• history screen
• Announcement
• various
• Introduction
• Interesting...
• I need help about script!!!
• Stats
• Please Help...
• Report
• Membership Confirmation
• Get a FREE gift!
• Today Only
• New Contests
• Lost & Found
• bad news
• wow!
• fantastic
• click on this!
• Market Update Report
• empty account
• My eBay ads
• Cows
• 25 merchants and rising
• CALL FOR INFORMATION!
• new reading
• Sponsors needed
• SCAM alert!!!
• Warning!
• its easy
• free shipping!
• News
• Daily Email Reminder
• Tools For Your Online Business
• New bonus in your cash account
• Your Gift
• Re:
• $150 FREE Bonus!
• Your News Alert
• Hi!
• Get 8 FREE issues - no risk!
• Greets!
For the attachment filename, the worm uses filenames in the My Documents folder
location, which have one of the following extensions:
• .reg
• .ini
• .bat
• .diz
• .txt
• .cpp
• .html
• .htm
• .jpeg
• .jpg
• .gif
• .cpl
• .dll
• .vxd
• .sys
• .com
• .exe
• .bmp
• .scr
• .pif
• .exe
• readme
• Setup
• Card
• Docs
• news
• image
• images
• pics
• resume
• photo
• video
• music
• song
• data
The content type of the message is matched to the file type, and can be one of the
following:
• text/html
• text/plain
• application/octet-stream
• image/jpeg
• image/gif
Finally, the email message may be composed with or without using the Incorrect MIME
Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically
execute on a vulnerable system.
Local and network file infection
The worm will also infect the files on the local and network shares, which match the
following filenames. The worm appends itself and is polymorphic.
• scandskw.exe
• regedit.exe
• mplayer.exe
• hh.exe
• notepad.exe
• winhelp.exe
• Internet Explorer\iexplore.exe
• adobe\acrobat 5.0\reader\acrord32.exe
• WinRAR\WinRAR.exe
• Windows Media Player\mplayer2.exe
• Real\RealPlayer\realplay.exe
• Outlook Express\msimn.exe
• Far\Far.exe
• CuteFTP\cutftp32.exe
• Adobe\Acrobat 4.0\Reader\AcroRd32.exe
• ACDSee32\ACDSee32.exe
• MSN Messenger\msnmsgr.exe
• WS_FTP\WS_FTP95.exe
• QuickTime\QuickTimePlayer.exe
• StreamCast\Morpheus\Morpheus.exe
• Zone Labs\ZoneAlarm\ZoneAlarm.exe
• Trillian\Trillian.exe
• Lavasoft\Ad-aware 6\Ad-aware.exe
• AIM95\aim.exe
• Winamp\winamp.exe
• DAP\DAP.exe
• ICQ\Icq.exe
• kazaa\kazaa.exe
• winzip\winzip32.exe
•
Network share infection
The worm enumerates all the network shares and computers and attempts to copy
itself to those shares. Also, the worm attempts to copy itself to the Windows
Startup folder located on remote systems.
The worm does not differentiate between computers and printers. Thus, the worm
will inadvertently attempt to queue itself as a print job on network-shared printers.
Backdoor routine
The worm also opens a listening port on port 1080. The worm's creator can connect to
this port and perform the following actions:
• Delete files.
• Terminate processes.
• List processes and deliver the list to the worm's creator.
• Copy files.
• Start processes.
• List files and deliver the list to the worm's creator.
• Deliver intercepted keystrokes to the worm's creator in an encrypted form. This
action could release confidential information typed on a computer (passwords,
login details, and so on).
• Deliver the system information to the worm's creator in the following form:
• User: <user name>
• Processor: <type of processor used>
• Windows version: <Windows version, build number>
• Memory information: <Memory available, and so on>
• Local drives, their types (for example, fixed/removable/RAM disk/CD-
ROM/remote), as well as their physical characteristics.
Removal
Symantec Security Response has created a tool to remove
W32.Bugbear.B@mm,which is the easiest way to remove this threat.
Download tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.t
ool.html