Win32:BugBear

is an Internet worm written in Microsoft C and packed with UPX. The worm is 50688 bytes long, it spreads via email and via network shares. It drops the trojan horse with keylogging and backdoor capabilities. The worm arrives as a randomly named attachment in email message with variable subjects and body. It uses the well known IFrame exploit that allows it to run automatically on vulnerable computers without patch.

After execution of the infected attachment, the worm copies itself to the WINDOWS\SYSTEM directory under a four-character random name, then copies itself to the Windows STARTUP directory under a three-character random name. Then it tries to copy itself to remote machines with open shared drives over the LAN under a three-character random name. It also opens the port 36794 and listens for the commands from outside. The worm then drops the trojan - keylogger into the following files: C:\WINDOWS\SYSTEM\ICCYOA.DLL, C:\WINDOWS\SYSTEM\LGGUQAA.DLL, C:\WINDOWS\SYSTEM\ROOMUAA.DLL, C:\WINDOWS\OKKQSA.DAT and C:\WINDOWS\USSOWA.DAT. When it tries to spread over the LAN, it can also affect the network printers - these cannot be infected by the worm can print a lot of garbage on them.

The following registry key is created:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"tie" = "****.EXE"

The worm also tries to disable some antivirus and firewall programs:
_AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ANTI-TROJAN.EXE, APVXDWIN.EXE, AUTODOWN.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCTRL.EXE, AVKSERV.EXE, AVNT.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE, AVPUPD.EXE, AVSCHED32.EXE, AVWIN95.EXE, AVWUPD32.EXE, BLACKD.EXE, BLACKICE.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLAW95.EXE, CLAW95CF.EXE, CLEANER.EXE, CLEANER3.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE, ESAFE.EXE, ESPWATCH.EXE, F-AGNT95.EXE, F-PROT.EXE, F-PROT95.EXE, F-STOPW.EXE, FINDVIRU.EXE, FP-WIN.EXE, FPROT.EXE, FRW.EXE, IAMAPP.EXE, IAMSERV.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFACE.EXE, IOMON98.EXE, JEDI.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LUALL.EXE, MOOLIVE.EXE, MPFTRAY.EXE, N32SCANW.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVW32.EXE, NAVWNT.EXE, NISUM.EXE, NMAIN.EXE, NORMIST.EXE, NUPGRADE.EXE, NVC95.EXE, OUTPOST.EXE, PADMIN.EXE, PAVCL.EXE, PAVSCHED.EXE, PAVW.EXE, PCCWIN98.EXE, PCFWALLICON.EXE, PERSFW.EXE, RAV7.EXE, RAV7WIN.EXE, RESCUE.EXE, SAFEWEB.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SERV95.EXE, SMC.EXE, SPHINX.EXE, SWEEP95.EXE, TBSCAN.EXE, TCA.EXE, TDS2-98.EXE, TDS2-NT.EXE, VET95.EXE, VETTRAY.EXE, VSCAN40.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSSTAT.EXE, WEBSCANX.EXE, WFINDV32.EXE and ZONEALARM.EXE.

The worm then searches the email addresses in current inbox and in the files on a the local disk with the following extensions: MMF, NCH, MBX, EML, TBB and DBX. It uses its own SMTP routine to sned the mails via the SMTP server found in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts

It falses the FROM filed in similar way as Win32:Klez-H, so there is no obvious way how to find the real sender with the infected computer.

Removal:
Delete all files infected by Win32:BugBear. If the worm is active, the files can be blocked however. You need to deactivate the virus first - either via Task Manager or by removing its registry key and rebooting the computer.

Any avast! with VPS file dated on or after 30th September 2002 is able to detect this worm.