x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

PSWBugbear.B

Threat LevelHigh threatDamageSevereDistributionNot widespread
Common name:PSWBugbear.B
Technical name:Trj/PSW.Bugbear.B
Threat level:Medium
Alias:W32/Tanatos, Bugbear.B, PE_BUGBEAR.B, W32.Kijmo, W32.Shamur, Win32.Bugbear.B
Type:Trojan
Effects:  It infects a large number of files on affected computers, it ends processes belonging to security programs, opens the port 1080, captures keystrokes and allows a hacker to gain remote access to the resources of the computer.
Affected platforms:

Windows XP/2000/NT/ME/98/95

Detection updated on:June 12, 2003
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

PSWBugbear.B is a Password stealer type Trojan that is dropped in computers by a dangerous worm called Bugbear.B.

It is very easy to become infected by this worm, as it is automatically activated when the message is viewed through Outlook’s Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.

PSWBugbear.B logs the keystrokes entered in the affected computer in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The keylogger information is sent when the data saved exceeds 25,000 bytes or every two hours.

It also sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
ifrbr@canada.com, sdorad@juno.com, fbnfgh@email.ro, eruir@hotpop.com, ersdes@truthmail.com, eofb2@blazemail.com, ioter5@yook.de, iuery@myrealbox.com, jkfhw@wildemail.com and ds2iahf@kukamail.com.

Visible Symptoms 

    

PSWBugbear.B is difficult to recognize, as it does not display any warnings or messages that indicate that it has infected a computer.

When spreading across shared network drives, PSWBugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters.