Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Bugbear.B

 
Threat LevelHigh threat
DamageSevere
DistributionNot widespread

Effects

Bugbear.B has the following effects:

  • It sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
    ifrbr@canada.com, sdorad@juno.com, fbnfgh@email.ro, eruir@hotpop.com, ersdes@truthmail.com, eofb2@blazemail.com, ioter5@yook.de, iuery@myrealbox.com, jkfhw@wildemail.com and ds2iahf@kukamail.com.
  • It infects the following files, if it finds them on the affected computer:
    %windir%\SCANDSKW.EXE
    %windir%\REGEDIT.EXE
    %windir%\MPLAYER.EXE
    %windir%\HH.EXE
    %windir%\NOTEPAD.EXE
    %windir%\WINHELP.EXE
    %programfiles%\INTERNET EXPLORER\IEXPLORE.EXE
    %programfiles%\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
    %programfiles%\WINRAR\WINRAR.EXE
    %programfiles%\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
    %programfiles%\REAL\REALPLAYER\REALPLAY.EXE
    %programfiles%\OUTLOOKEXPRESS\MSIMN.EXE
    %programfiles%\FAR\FAR.EXE
    %programfiles%\CUTEFTP\CUTFTP32.EXE
    %programfiles%\ADOBE\ACROBAT 4.0\READER\ACRORD32.EXE
    %programfiles%\ACDSEE32\ACDSEE32.EXE
    %programfiles%\MSN MESSENGER\MSNMSGR.EXE
    %programfiles%\WS_FTP\WS_FTP95.EXE
    %programfiles%\QUICKTIME\QUICKTIMEPLAYER.EXE
    %programfiles%\STREAMCAST\MORPHEUS\MORPHEUS.EXE
    %programfiles%\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    %programfiles%\TRILLIAN\TRILLIAN.EXE
    %programfiles%\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
    %programfiles%\AIM95\AIM.EXE
    %programfiles%\WINAMP\WINAMP.EXE
    %programfiles%\DAP\DAP.EXE
    %programfiles%\ICQ\ICQ.EXE
    %programfiles%\KAZAA\KAZAA.EXE
    %programfiles%\WINZIP\WINZIP32.EXE)

    where %windir% is the Windows directory and %programfiles% is the Program files directory.
  • These files belong to different computer applications, which will not stop working. However, whenever one of these applications is run (KaZaA, Winzip, Internet Explorer, etc.), the worm will also be run.
  • It also sometimes acts as a backdoor type Trojan, allowing a hacker to carry out the following actions on affected computers:
    - List, start and end processes.
    - List, copy and delete files.
    - Send out files containing the keystrokes captured by the keylogger.
    - Send information from the affected computer.
    - List the network resources and characteristics.
    - Open an HTTP server to interact remotely through a web interface.
  • It looks for a series of processes related to antivirus and security programs. If they are enabled, it ends them. By doing this these programs will stop running. For a list of these processes, click here.
  • It opens port 1080, which allows hackers to gain remote access to the affected computer.
  • It logs the keystrokes in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The keylogger information is sent when the data saved exceeds 25,000 bytes or every two hours.

Infection strategy 

Bugbear.B creates the following files:

  • ????.EXE in the Windows Startup directory. By creating it in this directory, Bugbear.B ensures that it is run whenever Windows is started. It obtains the path of this directory by reading the following key in the Windows Registry:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Common Startup = the user's start up directory
  • ???????.DLL in the Windows system directory. This file is 5,632 bytes in size and is a keylogger, which captures the keystrokes entered in the affected computer. This file is detected by Panda Software as PSWBugbear.B.
  • ~PHQGHUM.TMP or SPHQGHUM.TMP in the Windows temporary directory. The name of this file varies depending on whether it is being used by the worm or not.
  • It also creates other files with a DLL extension, which contain encrypted data collected or generated by the worm.

Means of transmission 

Bugbear.B spreads via e-mail and across shared network drives.

1- Transmission via e-mail.

In order to spread via e-mail, Bugbear.B follows the routine below:

  • It reads the following entry in the Windows Registry in order to obtain the mail server:
    HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Internet Account Manager
  • Similarly, the worm contains a list of domains with possible mail servers.
  • It looks for e-mail addresses in the files it finds on the affected computer which contain the following texts: DBX, TBB, EML, MBX, NCH, MMF, INBOX and ODS.
  • It sends a copy of itself to all the addresses it finds. In order to do this, it uses its own SMTP engine. The message has the following characteristics:

    Subject: One of the following:
    Get 8 FREE issues - no risk!
    Hi!
    Your News Alert
    $150 FREE Bonus!
    Re:
    Your Gift
    New bonus in your cash account
    Tools For Your Online Business
    Daily Email Reminder
    News
    free shipping!
    its easy
    Warning!
    SCAM alert!!!
    Sponsors needed
    new reading
    CALL FOR INFORMATION!
    25 merchants and rising
    Cows
    My eBay ads
    empty account
    Market Update Report
    click on this!
    fantastic
    wow!
    bad news
    Lost & Found
    New Contests
    Today Only
    Get a FREE gift!
    Membership Confirmation
    Report
    Please Help...
    Stats
    I need help about script!!!
    Interesting...
    Introduction
    various
    Announcement
    history screen
    Correction of errors
    Just a reminder
    Payment notices
    hmm..
    update
    Hello!

    Attachments: The name of the file is extremely variable. It can be one of the following:
    DATA
    SONG
    MUSIC
    VIDEO
    PHOTO
    RESUME
    PICS
    IMAGES
    IMAGE
    NEWS
    DOCS
    CARD
    SETUP
    README
    The file will have one or two of the following extensions EXE, SCR or PIF.
    The name of the attached file can also be obtained from the files stored in the user's personal directory (indicated by the following Registry entry: KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal), or the files stored in the My Documents directory which have one of the following extensions: REG, INI, BAT, DIZ, TXT, CPP, HTML, HTM, JPEG, JPG, GIF, CPL, DLL, VXD, SYS, COM, EXE or BMP.
  • Bugbear.B does not send a message to any mail address that contains one of the following words:
    majordom
    ticket
    talk
    list
    localdomain
    localhost
    nobody@
    root@
    postmaster@
    mailer-daemon
    trojan
    virus
    lyris
    noreply
    recipients
    undisclosed
    spam
    remove
  • The recipient of the infected message will be affected by this worm by simply viewing the message through the Outlook Preview Pane, as Bugbear.B exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. However, Bugbear.B does not always exploit this vulnerability to carry out its infection.

2- Transmission across shared network drives.

  • In order to spread across shared network drives, Bugbear.B follows the routine below:
  • Bugbear.B checks if the affected computer is connected to a network. If it is, it looks for network drives and creates a copy of itself in the start directory of these drives.
  • By doing this, when the network drive is started up, it will be automatically affected by Bugbear.B.
  • Bugbear.B may not be able to copy itself to the Startup directory in computers with different operating systems or in different languages, as the worm assumes that the directory in the remote machine it wants to infect has the same path as the one in the local machine.

Note: When spreading across shared network drives, Bugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters.

Further Details  

Other interesting characteristics of Bugbear.B are:

  • It is written in the programming language Visual C.
  • The worm is 72,192 bytes in size and it is compressed with modified UPX.
  • It creates a mutex and assigns it the name w32shamur in order to find out if it is running. If it is, it is not run again.
  • The worm incorporates a list of domains belonging to banks, among others. If the worm connects to a machine in one of these domains, Bugbear.B enables the AutoDial option by modifying an entry in the Windows Registry. By doing this, it prevents confirmation being required in order to establish network connection via modem.