Description
Win32.HLLM.Bugbear.2 is
is a mass-mailing worm written in Microsoft Visual C/C++ and packed with UPX. The present modification presents a combination of a polimorphic virus and a file infector.
The worm mass propagates via E-mail using its own SMTP engine and is capable of spreading through shared drives of the local network. In the process of installation and propagation via shared resources the worm infects certain executable files appending its code to them.
The program contains Trojan components - a keylogger utility and opens port 1080 in the infected system which may cause leakage of sensitive information. The worm terminates some anti-virus programs and firewalls.
To infect the target system the worm uses a well-known MS Internet Explorer security system vulnerability - the so called Incorrect MIME Header Can Cause IE to Execute E-mail Attachment - which allows a program file (containing a virus program) to get automatically run even on message previewing in such mail clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).
Spreading
After the system has been hit by the worm it starts spreading using its own SMTP engine. It retrieves the data on the default SMTP server from the registry entry
SMTP Email Address Accounts\\SOFTWARE\\Microsoft\\Internet Account Manager\\Default Mail Account
The worm sends infected messages to all the addresses found in the incoming and sent messages of the affected computer and to those harvested in files with.dbx, .eml, .mbx, .mmf, .nch, .ods, or .tbs extensions.
The worm can generate replies and prepend suffix FW:, as well as insert a forged address to the sender`s name field.
The mail message infected with Win32.HLLM.Bugbear.2 may look as follows:
Subject: is chosen by the worm from a list of subjects stored in its body and may be, for example,
Hello! Payment notices Just a reminder Correction of errors history screen Announcement various Introduction Interesting... I need help about script!!! Stats Please Help... Report Membership Confirmation Get a FREE gift! Today Only New Contests Lost & Found bad news wow! fantastic click on this! Market Update Report empty account My eBay ads Cows 25 merchants and rising CALL FOR INFORMATION! new reading Sponsors needed SCAM alert!!! Warning! its easy free shipping! News Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift Re: $150 FREE Bonus! Your News Alert Hi! Get 8 FREE issues - no risk! Greets!Message body: may have none or be composed of several strings from the existing messages in the system.
Attachment names are generated by the worm out of the file names found in the My Documents folder and in the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal
The attachment name has double extensions the second part of which is obligatory .exe, .pif or .scr. The following words can also be used in the attachment names:
Card Docs image images music news photo pics readme resume Setup song video
Propagation via shared drives of the local network
The worm is capable of spreading via all the shared resources of the local network with the write access. To spread through them it copies itself to Windows startup folders of such drives.
Action
Being released on the computer the worm places to the Windows startup folder (C:\\Windows\\All Users\\Start Menu\\Programs\\StartUp or C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup ) its viral copy - an executable file with randomly generated name and .exe extension.
Then, the worm creates a .dll - formatted file with the name made up of 7 letters (a keylogging utility) and two files in .dat format in the Windows\\System folder.
When in the system the worm opens port 1080 and waits for instructions from a remote user which may break the security system of the infected with the worm computer and allow performance of unauthorized by the legitimate user actions.
The worm infects executable files appending its code to the them:
hh.exe mplayer.exe notepad.exe regedit.exe scandskw.exe winhelp.exe
ACDSee32\\ACDSee32.exe Adobe\\Acrobat 4.0\\Reader\\AcroRd32.exe adobe\\acrobat5.0\\reader\\acrord32.exe AIM95\\aim.exe CuteFTP\\cutftp32.exe DAP\\DAP.exe Far\\Far.exe ICQ\\Icq.exe Internet Explorer\\iexplore.exe kazaa\\kazaa.exe Lavasoft\\Ad-aware 6\\Ad-aware.exe MSN Messenger\\msnmsgr.exe Outlook Express\\msimn.exe QuickTime\\QuickTimePlayer.exe Real\\RealPlayer\\realplay.exe StreamCast\\Morpheus\\Morpheus.exe Trillian\\Trillian.exe Winamp\\winamp.exe Windows Media Player\\mplayer2.exe WinRAR\\WinRAR.exe winzip\\winzip32.exe WS_FTP\\WS_FTP95.exe Zone Labs\\ZoneAlarm\\ZoneAlarm.exe
The worm terminates the following anti-virus programs and firewalls.
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE
