Effects
PSWBugbear.B logs the keystrokes entered in the affected computer in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The keylogger information is sent when the data saved exceeds 25,000 bytes or every two hours.
It also sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
ifrbr@canada.com, sdorad@juno.com, fbnfgh@email.ro, eruir@hotpop.com, ersdes@truthmail.com, eofb2@blazemail.com, ioter5@yook.de, iuery@myrealbox.com, jkfhw@wildemail.com and ds2iahf@kukamail.com.
Infection strategy
PSWBugbear.B creates the following files:
????.EXE in the Windows start
directory. By creating it in this directory,
PSWBugbear.B ensures that it is run whenever the computer is started up. It obtains the path of this directory by reading the following
entry in the
Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Common Startup = the user's start up directory - ~PHQGHUM.TMP or SPHQGHUM.TMP in the Windows temporary directory. The name of this file varies depending on whether it is being used by the worm or not.
It also creates other files with a
DLL extension, which contain
encrypted data collected or generated by the worm.
Means of transmission
PSWBugbear.B spreads via e-mail and across shared network drives.
1- Transmission via e-mail:
In order to spread via e-mail, PSWBugbear.B follows the routine below:
It reads the following entry in the
Windows Registry in order to obtain the mail server:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account ManagerSimilarly the worm contains a list of domains with possible mail servers.
It looks for e-mail addresses in the files it finds on the affected computer which contain the following texts: DBX, TBB, EML, MBX, NCH, MMF, INBOX and ODS
It sends a copy of itself to all the addresses it finds. In order to do this, it uses its own
SMTP engine. The message has the following characteristics:
Subject: One of the following:
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
Attachments: The name of the file is extremely variable. It can be one of the following:
DATA
SONG
MUSIC
VIDEO
PHOTO
RESUME
PICS
IMAGES
IMAGE
NEWS
DOCS
CARD
SETUP
README
The file will have one or two of the following extensions
EXE,
SCR or
PIF.
The name of the attached file can also be obtained from the files stored in the user's personal directory (indicated by the following
Registry key:
KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal), or the files stored in the
My Documents directory which have one of the following extensions:
REG, INI, BAT, DIZ, TXT, CPP, HTML, HTM, JPEG, JPG, GIF, CPL, DLL, VXD, SYS, COM, EXE or
BMP.
PSWBugbear.B does not send a message to any mail address that contains one of the following words:
majordom
ticket
talk
list
localdomain
localhost
nobody@
root@
postmaster@
mailer-daemon
trojan
virus
lyris
noreply
recipients
undisclosed
spam
remove
The recipient of the infected message will be infected by this worm by simply viewing the message through the Outlook
Preview Pane,
as PSWBugbear.B exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
2- Transmission across shared network drives:
In order to spread across shared network drives, PSWBugbear.B follows the routine below:
PSWBugbear.B checks if the infected computer is connected to a network. If it is, it looks for network drives and creates a copy of itself in the start directory of these drives.
By doing this, when the network drive is started up, it will be automatically infected by PSWBugbear.B.
PSWBugbear.B may not be able to copy itself to the start directory in computers with different operating systems or in different languages, as the worm assumes that the directory in the remote machine it wants to infect has the same path as the one in the local machine.
Note: When spreading across shared network drives, PSWBugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters.
Further Details
Other interesting characteristics of PSWBugbear.B are:
The file that carries out the infection is 72,192 bytes in size and
compressed with modified
UPX.
It creates a
mutex and assigns it the name
w32shamur in order to find out if it is running. If it is, it is not run again.
The worm incorporates a list of domains belonging to banks, among others. If the worm connects to a machine in one of these domains,
PSWBugbear.B enables the
AutoDial option by modifying a key in the
Windows Registry. By doing this, it prevents confirmation being required in order to establish network connection via
modem.