You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Bugbear
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

The worm's main action consists of attacking files used by antivirus programs and firewalls.

For further information on the files used, click here.

Infection strategy

Bugbear creates the following files:

~PHQGHUM.TMP (20 Bytes), in the Windows temporary directory.
Two files with a random name and the EXE extension (executable files). One of the files is copied to the Windows system directory, and the other to the Windows startup directory. These two files are run on every Windows startup.
A file with a DLL extension (library), in the Windows system directory.

Bugbear creates the following entry in the Windows Registry:

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce=
The worm assings a value to this entry that refers to the EXE file it created in the Windows system directory. Through this entry the worm ensures it is run on every Windows startup.

Finally, Bugbear carries out the following actions:

It takes advantage of the Iframe Exploit vulnerability.
It uses port 36794 to establish remote connections.
It is designed to avoid sending the file that triggers infection to e-mail addresses with any of the following words: list, localdomain, localhost, lyris, mailer-daemon, majordom, nobody@, noreply, postmaster@, recipients, remove, root@, spam, talk, ticket, trojan, undisclosed, virus.

Means of transmission

Bugbear reaches computers in an e-mail message with variable subjects and contents. Consequenty, it is difficult to recognize the e-mail that carries the worm and easy to become infected by it.

The most recurrent features are the following:

Subject. Although the message can have other subject fields, these are the most usual:

$150 FREE Bonus!, 25 merchants and rising CALL FOR INFORMATION!, Announcement, bad news, click on this!, Correction of errors, Cows, Daily Email Reminder, empty account, fantastic, free shipping!, Get 8 FREE issues - no risk!, Get a FREE gift!, Greets!, Hello!, Hi!, history screen, hmm.., I need help about script!!!, Interesting..., Introduction, its easy, Just a reminder, Lost & Found, Market Update Report, Membership Confirmation, My eBay ads, New bonus in your cash account, New Contests, new reading, News, Payment notices, Please Help..., Re:, Report, SCAM alert!!!, Sponsors needed, Stats, Today Only, Tools For Your Online Business, update, various, Warning!, wow!, Your Gift, Your News Alert.
Attachments. The name of the attached file, which is variable, can include any of the following words and a double extension: CARD, DATA, DOCS, IMAGE, IMAGES, MUSIC, NEWS, PHOTO, PICS, README, RESUME, SETUP, SONG, VIDEO.

Bugbear creates a false address which appears as the sender of the e-mail message. This can cause confusion. For more information, click here.

Further Details

Bugbear has a size of 50688 Bytes (compressed with UPX) and is written in the Visual C programming language.

Resources for Partners