[Dshield] New Outlook virus?

Arjen De Landgraaf arjen.de.landgraaf at cologic.co.nz
Tue Oct 1 03:12:40 GMT 2002


>From www.e-secure-it.us

DETAILED DESCRIPTION OF BUGBEAR, HOW TO RECOGNISE AND FIRST AID KIT.

Bugbear / Tanatos

This virus is written in MSVC and packed with UPX.

It shuts down anti-virus and firewall software designed to block out
intruders and can spread by dropping copies of itself into folders on shared
networks, which are commonly used at corporations and large organizations.

The worm's most interesting feature is a Trojan horse component called
PWS-Hooker that secretly watches every keystroke on an infected computer,
and stores the captured information on the computer in encrypted form. The
data can be accessed later by the virus writer or anyone else who happens
upon the infected computer, or it can be e-mailed to the author.   

Bugbear might be spreading because it is cleverly crafted and difficult to
spot with the naked eye. It arrives in a victim's e-mail inbox with a
subject line chosen randomly from dozens of possibilities, including: 
Possible message subject lines include the following (however, other random
subject lines are also possible): 

25 merchants and rising 
Announcement 
bad news 
CALL FOR INFORMATION! 
click on this! 
Correction of errors 
Cows 
Daily Email Reminder 
empty account 
fantastic 
free shipping! 
Get 8 FREE issues - no risk! 
Get a FREE gift! 
Greets! 
Hello! 
Hi! 
history screen 
hmm.. 
I need help about script!!! 
Interesting... 
Introduction 
its easy 
Just a reminder 
Lost & Found 
Market Update Report 
Membership Confirmation 
My eBay ads 
New bonus in your cash account 
New Contests 
new reading 
News 
Payment notices 
Please Help... 
Re: $150 FREE Bonus! 
Report 
SCAM alert!!! 
Sponsors needed 
Stats 
Today Only 
Tools For Your Online Business 
update 
various 
Warning! 
wow! 
Your Gift 
Your News Alert 

The message body varies and may contain fragments of files found on the
victim's system. The attachment name also varies, but may contain the
following strings: 

Card 
Docs 
image 
images 
music 
news 
photo 
pics 
readme 
resume 
Setup 
song 
video 

 
The actual infected file arrives as an attachment, which also has a random
name. And Bugbear's first task, upon infection, is to disable all installed
antivirus software.
It's throwing a lot of things at people to see if it can find something to
slip under the radar.  

Once activated, the virus shuts down scores of vital processes used by
Windows and by antivirus software, records user keystrokes, opens a backdoor
to the infected machine for use by attackers, and attempts to mail copies of
itself out to other users, randomly generating new subject lines and virus
executable names as it does

W32/Bugbear-A is an internet worm which spreads via SMTP and also attempts
to spread via network shares. The worm copies itself to the Windows system
folder as a file with a random four-letter name and an EXE extension and
adds to the following registry entry to run this file on the next reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

W32/Bugbear-A also drops a copy of itself in the Windows start up folder so
that is run on system restart.

The worm drops a randomly-named DLL file, which is related to logging
keystrokes, in the Windows system folder. It can also terminate certain
firewall and antivirus programs.


How to recognise:

The virus file is attached to e-mails with a wide variety of subject lines :

Attachment Length:  50,688 bytes (UPXed) or 50,664 bytes
The subject line, name of the attachment and text in the body of the message
can vary, and the attachment name typically has a double extension, such as
.xxx.pif, .xxx.scr etc
 
IF YOU ARE INFECTED:

Symptoms:

Method Of Infection  
This virus spreads over the network (via network shares) and by mailing
itself (using it's on SMTP engine).

It attempts to terminate the process of the following security programs: 

ACKWIN32.exe 
F-AGNT95.exe 
ANTI-TROJAN.exe 
APVXDWIN.exe 
AUTODOWN.exe 
AVCONSOL.exe 
AVE32.exe 
AVGCTRL.exe 
AVKSERV.exe 
AVNT.exe 
AVP32.exe 
AVP32.exe 
AVPCC.exe 
AVPCC.exe 
AVPDOS32.exe 
AVPM.exe 
AVPM.exe 
AVPTC32.exe 
AVPUPD.exe 
AVSCHED32.exe 
AVWIN95.exe 
AVWUPD32.exe 
BLACKD.exe 
BLACKICE.exe 
CFIADMIN.exe 
CFIAUDIT.exe 
CFINET.exe 
CFINET32.exe 
CLAW95.exe 
CLAW95CF.exe 
CLEANER.exe 
CLEANER3.exe 
DVP95_0.exe 
ECENGINE.exe 
ESAFE.exe 
ESPWATCH.exe 
FINDVIRU.exe 
FPROT.exe 
IAMAPP.exe 
IAMSERV.exe 
IBMASN.exe 
IBMAVSP.exe 
ICLOAD95.exe 
ICLOADNT.exe 
ICMON.exe 
ICSUPP95.exe 
ICSUPPNT.exe 
IFACE.exe 
IOMON98.exe 
JEDI.exe 
LOCKDOWN2000.exe 
LOOKOUT.exe 
LUALL.exe 
MOOLIVE.exe 
MPFTRAY.exe 
N32SCANW.exe 
NAVAPW32.exe 
NAVLU32.exe 
NAVNT.exe 
NAVW32.exe 
NAVWNT.exe 
NISUM.exe 
NMAIN.exe 
NORMIST.exe 
NUPGRADE.exe 
NVC95.exe 
OUTPOST.exe 
PADMIN.exe 
PAVCL.exe 
PAVSCHED.exe 
PAVW.exe 
PCCWIN98.exe 
PCFWALLICON.exe 
PERSFW.exe 
F-PROT.exe 
F-PROT95.exe 
RAV7.exe 
RAV7WIN.exe 
RESCUE.exe 
SAFEWEB.exe 
SCAN32.exe 
SCAN95.exe 
SCANPM.exe 
SCRSCAN.exe 
SERV95.exe 
SPHINX.exe 
F-STOPW.exe 
SWEEP95.exe 
TBSCAN.exe 
TDS2-98.exe 
TDS2-NT.exe 
VET95.exe 
VETTRAY.exe 
VSCAN40.exe 
VSECOMR.exe 
VSHWIN32.exe 
VSSTAT.exe 
WEBSCANX.exe 
WFINDV32.exe 
ZONEALARM.exe
 

TROJAN:

Port 36974 open 
Existence of the following files (* represents any character): 
%WinDir%\System\****.EXE (50,688 or 50,684 bytes) 
%WinDir%\******.DAT 
%WinDir%\******.DAT 
%WinDir%\System\******.DLL 
%WinDir%\System\*******.DLL 
%WinDir%\System\*******.DLL 

This worm emails itself to addresses found on the local system.

The worm copies itself to the Windows system folder as a file with a random
four-letter name and an EXE extension and adds to the following registry
entry to run this file on the next reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

When run on the victim machine it copies itself to %WinDir%\System as
****.EXE (where * represents random character). For example in testing: 

Win98 : C:\WINDOWS\SYSTEM\FYFA.EXE 
2k Pro : C:\WINNT\SYSTEM32\FVFA.EXE 
The following Registry key is set in order to hook next system startup: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
RunOnce "%random letters%" = %random filename%.EXE (Win9x)
The worm copies itself to the Startup folder on the victim machine as
***.EXE (where * represents random character), for example: 

Win98 : C:\WINDOWS\Start Menu\Programs\Startup\CUK.EXE 
2k Pro : C:\Documents and Settings\(username)\Start
Menu\Programs\Startup\CYC.EXE 




Trojan component 
The worm opens a port on the victim machine - port 36794 and searches for
various running processes, stopping them if found. The list of processes
includes many popular AV and personal firewall products. 

This remote access server allows an attacker to upload, and download files,
run executes, and terminate processes. 

It drops a DLL on the victim machine - keylogger related. This DLL is
detected as PWS-Hooker.dll. 

Network share propagation 

The worm attempts to copy itself to the Startup folder of remote machines on
the network (as ***.EXE - described above). 



Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE
to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet
Explorer (ver 5.01 or 5.5 without SP2). 


FIRST AID KIT:

AS EMERGENCY MEASURE -  Remove, Disable or encrypt all local email addresses
(addressbook etc) TO PREVENT FROM SPREADING (BEFORE YOU ARE INFECTED)

INCOMING EMAILS:

Filter on attachment length 50,688 bytes (UPXed) or 50,664 bytes

Filter out attachments, especially .pif, .scr (By the way, you should filter
out all attachments anyway)

Nail down your Network shares - it replicates itself through them.

Make sure all USER PC's have IE updated with latest security patches

It takes advantage of a known vulnerability in Microsoft's Internet Explorer
versions 5.01 and 5.5 that allows attackers to embed malicious code in the
header of an improperly formatted HTML message that could cause e-mail
clients such as Outlook to automatically launch attached executable files.

Microsoft addressed the issue in Service Bulletin MS01-020 and issued a
patch for the vulnerability in March of 2001.

Trojan:

Port 36974 open - CHECK ON THIS PORT!!!!

Existence of the following files (* represents any character): 
%WinDir%\System\****.EXE (50,688 or 50,684 bytes) 
%WinDir%\******.DAT 
%WinDir%\******.DAT 
%WinDir%\System\******.DLL 
%WinDir%\System\*******.DLL 
%WinDir%\System\*******.DLL 



FURTHER INFORMATION ON PWS-HOOKER:

Type: Zoo Trojan Horse 
Infection Length: variable 
Systems Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows
2000, Windows XP, Windows Me 


Trojans in this family can record your keystrokes and store this information
in encrypted form. The Trojan sends this encrypted file and the IP address
of the compromised computer to email addresses that are defined by the
hacker.

The following is a description of a specific PWS.Hooker.Trojan variant that
can be dropped by the W32.Badtrans.gen at mm worm.

When the Trojan runs, it does the following:

It copies itself as C:\%System%\Kern32.exe.

NOTE: %System% is a variable. The Trojan locates the \Windows\System folder
(by default this is C:\Windows\System or C:\Winnt\System32) and copies
itself to that location.

It also drops C:\%System%\Hksdll.dll. This file is a component of, and is
detected as W32.Badtrans.gen at mm.

The Trojan adds the value 

kernel32     C:\%System%\kern32.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

This causes the Trojan to run then next time that you start Windows.


Arjen de Landgraaf
www.e-secure-db.us
www.e-secure-it.us









More information about the list mailing list