Welcome to the Virus Encyclopedia of Panda Security.
Threat Level Damage Distribution
Bugbear.B has the following effects:
It sends out a file containing a copy of the cached passwords of the dial-up connection to networks to a certain list of e-mail addresses. It does this if the default e-mail address of the victim computer, which it obtains from the Windows Registry, belongs to one of the domains in its list. This list mainly includes domains belonging to financial entities. The addresses it sends the cached passwords to are the following:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and email@example.com.
- It infects the following files, if it finds them on the affected computer:
%programfiles%\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
where %windir% is the Windows directory and %programfiles% is the Program files directory.
These files belong to different computer applications, which will not stop working. However, whenever one of these applications is run (KaZaA, Winzip, Internet Explorer, etc.), the worm will also be run.
It also sometimes acts as a backdoor type Trojan, allowing a hacker to carry out the following actions on affected computers:
- List, start and end processes.
- List, copy and delete files.
- Send out files containing the keystrokes captured by the keylogger.
- Send information from the affected computer.
- List the network resources and characteristics.
- Open an HTTP server to interact remotely through a web interface.
It looks for a series of processes related to antivirus and security programs. If they are enabled, it ends them. By doing this these programs will stop running. For a list of these processes, click here.
It opens port 1080, which allows hackers to gain remote access to the affected computer.
- It logs the keystrokes in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc. The keylogger information is sent when the data saved exceeds 25,000 bytes or every two hours.
Bugbear.B creates the following files:
????.EXE in the Windows Startup directory. By creating it in this directory, Bugbear.B ensures that it is run whenever Windows is started. It obtains the path of this directory by reading the following key in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Common Startup = the user's start up directory
???????.DLL in the Windows system directory. This file is 5,632 bytes in size and is a keylogger, which captures the keystrokes entered in the affected computer. This file is detected by Panda Software as PSWBugbear.B.
~PHQGHUM.TMP or SPHQGHUM.TMP in the Windows temporary directory. The name of this file varies depending on whether it is being used by the worm or not.
It also creates other files with a DLL extension, which contain encrypted data collected or generated by the worm.
Means of transmission
Bugbear.B spreads via e-mail and across shared network drives.
1- Transmission via e-mail.
In order to spread via e-mail, Bugbear.B follows the routine below:
It reads the following entry in the Windows Registry in order to obtain the mail server:
HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Internet Account Manager
Similarly, the worm contains a list of domains with possible mail servers.
It looks for e-mail addresses in the files it finds on the affected computer which contain the following texts: DBX, TBB, EML, MBX, NCH, MMF, INBOX and ODS.
It sends a copy of itself to all the addresses it finds. In order to do this, it uses its own SMTP engine. The message has the following characteristics:
Subject: One of the following:
Get 8 FREE issues - no risk!
Your News Alert
$150 FREE Bonus!
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
CALL FOR INFORMATION!
25 merchants and rising
My eBay ads
Market Update Report
click on this!
Lost & Found
Get a FREE gift!
I need help about script!!!
Correction of errors
Just a reminder
Attachments: The name of the file is extremely variable. It can be one of the following:
The file will have one or two of the following extensions EXE, SCR or PIF.
The name of the attached file can also be obtained from the files stored in the user's personal directory (indicated by the following Registry entry: KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal), or the files stored in the My Documents directory which have one of the following extensions: REG, INI, BAT, DIZ, TXT, CPP, HTML, HTM, JPEG, JPG, GIF, CPL, DLL, VXD, SYS, COM, EXE or BMP.
Bugbear.B does not send a message to any mail address that contains one of the following words:
The recipient of the infected message will be affected by this worm by simply viewing the message through the Outlook Preview Pane, as Bugbear.B exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. However, Bugbear.B does not always exploit this vulnerability to carry out its infection.
2- Transmission across shared network drives.
In order to spread across shared network drives, Bugbear.B follows the routine below:
Bugbear.B checks if the affected computer is connected to a network. If it is, it looks for network drives and creates a copy of itself in the start directory of these drives.
By doing this, when the network drive is started up, it will be automatically affected by Bugbear.B.
Bugbear.B may not be able to copy itself to the Startup directory in computers with different operating systems or in different languages, as the worm assumes that the directory in the remote machine it wants to infect has the same path as the one in the local machine.
Note: When spreading across shared network drives, Bugbear.B does not check if the directories it is copying itself to are shared printers. Therefore, if it copies itself to one of these directories, the printer will start printing junk characters.
Other interesting characteristics of Bugbear.B are:
It is written in the programming language Visual C.
The worm is 72,192 bytes in size and it is compressed with modified UPX.
It creates a mutex and assigns it the name w32shamur in order to find out if it is running. If it is, it is not run again.
The worm incorporates a list of domains belonging to banks, among others. If the worm connects to a machine in one of these domains, Bugbear.B enables the AutoDial option by modifying an entry in the Windows Registry. By doing this, it prevents confirmation being required in order to establish network connection via modem.