The following has been derived from information provided by Symantec, NAI, Trend Micro, and F-Secure.

Virus Characteristics

W32/Bugbear.b@mm is a Windows PE executable file compressed with the UPX file compressor and is encrypted with a simple algorithm that changes in every generation of the worm making this variant of the worm polymorphic. The packed worm's file size is 72192 bytes, once it has decompressed it is over 170 kilobytes. Bugbear.b also has keystroke-logging and backdoor capabilities. Once the worm is active in the system it attempts to terminate the processes of several anti-virus and firewall programs. This variant also has a file infector payload.

This worm has two propogation methods, the first method is through SMTP messages with multiple variations of subject and filename. It searches for addresses found on the local system and uses these addresses for the TO and FROM fields. This means that the sender address is spoofed, or forged, and is not a direct indication of who the infected user is. It extracts addresses from file names containing these strings:

.DBX
.EML
INBOX
.MBX
.MMF
.NCH
.ODS
.TBB

The attachment may appear to have two extensions but ends in .exe, .pif, or .scr. The outgoing messages appear to be formatted to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability. The second method of propogation is through attempting to copy itself to the Startup folder of remote machines on the network.


Payload

The worm copies itself to the START UP folder using a random file name to ensure execution at start up(such as):

Win98 : C:\WINDOWS\Start Menu\Programs\Startup\GFYS.EXE
Win2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\GFYS.EXE

The keylogger DLL, is used to capture typed keystrokes. This DLL has a random name but always contains 7 characters followed by .dll and is located in the %SysDir% directory. There are two other files, using similar names, which are also placed in the same directory. These files contain the encrypted, captured information. A small randomly named .dat file also used for the keylogging is placed in the %WinDir% directory.

The remote access portion of the worm listens on TCP Port 1080 for commands, allowing a remote attacker to gain access to the compromised system.

New in this variant is the file infector routine. The virus attempts to infect specific executables. It retrieves the path to these files located in the Program Files directory from the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir

It also tries to infect the following files on both local and network drives:

hh.exe
mplayer.exe
notepad.exe
regedit.exe
scandskw.exe
winhelp.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
adobe\acrobat5.0\reader\acrord32.exe
AIM95\aim.exe
CuteFTP\cutftp32.exe
DAP\DAP.exe
Far\Far.exe
ICQ\Icq.exe
Internet Explorer\iexplore.exe
kazaa\kazaa.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
MSN Messenger\msnmsgr.exe
Outlook Express\msimn.exe
QuickTime\QuickTimePlayer.exe
Real\RealPlayer\realplay.exe
StreamCast\Morpheus\Morpheus.exe
Trillian\Trillian.exe
Winamp\winamp.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
winzip\winzip32.exe
WS_FTP\WS_FTP95.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe

Bugbear.B also attempts to terminate a wide range of anti-virus and firewall software noted below:

ACKWIN32.exe
ANTI-TROJAN.exe
APVXDWIN.exe
AUTODOWN.exe
AVCONSOL.exe
AVE32.exe
AVGCTRL.exe
AVKSERV.exe
AVNT.exe
AVP32.exe
AVP32.exe
AVPCC.exe
AVPCC.exe
AVPDOS32.exe
AVPM.exe
AVPM.exe
AVPTC32.exe
AVPUPD.exe
AVSCHED32.exe
AVWIN95.exe
AVWUPD32.exe
BLACKD.exe
BLACKICE.exe
CFIADMIN.exe
CFIAUDIT.exe
CFINET.exe
CFINET32.exe
CLAW95.exe
CLAW95CF.exe
CLEANER.exe
CLEANER3.exe
DVP95.exe
DVP95_0.exe
ECENGINE.exe
ESAFE.exe
ESPWATCH.exe
F-AGNT95.exe
FINDVIRU.exe
FPROT.exe
F-PROT.exe
F-PROT95.exe
F-STOPW.exe
IAMAPP.exe
IAMSERV.exe
IBMASN.exe
IBMAVSP.exe
ICLOAD95.exe
ICLOADNT.exe
ICMON.exe
ICSUPP95.exe
ICSUPPNT.exe
IFACE.exe
IOMON98.exe
JEDI.exe
LOCKDOWN2000.exe
LOOKOUT.exe
LUALL.exe
MOOLIVE.exe
MPFTRAY.exe
N32SCANW.exe
NAVAPW32.exe
NAVLU32.exe
NAVNT.exe
NAVW32.exe
NAVWNT.exe
NISUM.exe
NMAIN.exe
NORMIST.exe
NUPGRADE.exe
NVC95.exe
OUTPOST.exe
PADMIN.exe
PAVCL.exe
PAVSCHED.exe
PAVW.exe
PCCWIN98.exe
PCFWALLICON.exe
PERSFW.exe
RAV7.exe
RAV7WIN.exe
RESCUE.exe
SAFEWEB.exe
SCAN32.exe
SCAN95.exe
SCANPM.exe
SCRSCAN.exe
SERV95.exe
SPHINX.exe
SWEEP95.exe
TBSCAN.exe
TDS2-98.exe
TDS2-NT.exe
VET95.exe
VETTRAY.exe
VSCAN40.exe
VSECOMR.exe
VSHWIN32.exe
VSSTAT.exe
WEBSCANX.exe
WFINDV32.exe
ZONEALARM.exe


Preventative Measures

Block all incoming SMTP messages at the gateway when ever possible that have attachments with the following extensions:

.exe
.scr
.pif

Mark all executable files noted above as read only.


Fixes Available

Network Associates:
Minimum DAT: 4270
Release Date:06/05/2003
Minimum Engine:4.1.60

Symantec:
Virus Definitions (Intelligent Updater): June 05, 2003
Virus Definitions (LiveUpdate): N/A

Trend:
Pattern File: 557
Minimum Scan Engine: 5.200