Virus

W32/Bugbear.A@mm

Analysis

  • Virus is 32bit, with a size of UPX compressed size of 50,688 bytes
  • Virus icon is that of a standard 32bit executable
  • If executed, this virus will copy itself to the local machine as a random filename (such as "tvtm.exe") into the Windows\System folder and also to the Startup folder for Windows in an effort to load the virus at Windows startup.
  • Next, the virus will modify the registry to load at Windows startup, as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunOnce\
    php=tvtm.exe

  • Virus writes at least three .DLL files with random file names to the Windows\System folder, only one of which is actually a .DLL file -

    • the other .DLL files are used to store password information
    • the true .DLL file communicates with the virus as a key logger and password stealer, and has a size of 5,632 bytes
  • Virus may search the following list and attempt to terminate any name-matching process running in memory -

    _AVP32.EXE
    _AVPCC.EXE
    _AVPM.EXE
    ACKWIN32.EXE
    ANTI-TROJAN.EXE
    APVXDWIN.EXE
    AUTODOWN.EXE
    AVCONSOL.EXE
    AVE32.EXE
    AVGCTRL.EXE
    AVKSERV.EXE
    AVNT.EXE
    AVP.EXE
    AVP32.EXE
    AVPCC.EXE
    AVPDOS32.EXE
    AVPM.EXE
    AVPTC32.EXE
    AVPUPD.EXE
    AVSCHED32.EXE
    AVWIN95.EXE
    AVWUPD32.EXE
    BLACKD.EXE
    BLACKICE.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFINET.EXE
    CFINET32.EXE
    CLAW95.EXE
    CLAW95CF.EXE
    CLEANER.EXE
    CLEANER3.EXE
    DVP95.EXE
    DVP95_0.EXE
    ECENGINE.EXE
    ESAFE.EXE
    ESPWATCH.EXE
    F-AGNT95.EXE
    FINDVIRU.EXE
    FPROT.EXE
    F-PROT.EXE
    F-PROT95.EXE
    FP-WIN.EXE
    FRW.EXE
    F-STOPW.EXE
    IAMAPP.EXE
    IAMSERV.EXE
    IBMASN.EXE
    IBMAVSP.EXE
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICSUPPNT.EXE
    IFACE.EXE
    IOMON98.EXE
    JEDI.EXE
    LOCKDOWN2000.EXE
    LOOKOUT.EXE
    LUALL.EXE
    MOOLIVE.EXE
    MPFTRAY.EXE
    N32SCANW.EXE
    NAVAPW32.EXE
    NAVLU32.EXE
    NAVNT.EXE
    NAVW32.EXE
    NAVWNT.EXE
    NISUM.EXE
    NMAIN.EXE
    NORMIST.EXE
    NUPGRADE.EXE
    NVC95.EXE
    OUTPOST.EXE
    PADMIN.EXE
    PAVCL.EXE
    PAVSCHED.EXE
    PAVW.EXE
    PCCWIN98.EXE
    PCFWALLICON.EXE
    PERSFW.EXE
    RAV7.EXE
    RAV7WIN.EXE
    RESCUE.EXE
    SAFEWEB.EXE
    SCAN32.EXE
    SCAN95.EXE
    SCANPM.EXE
    SCRSCAN.EXE
    SERV95.EXE
    SMC.EXE
    SPHINX.EXE
    SWEEP95.EXE
    TBSCAN.EXE
    TCA.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    VET95.EXE
    VETTRAY.EXE
    VSCAN40.EXE
    VSECOMR.EXE
    VSHWIN32.EXE
    VSSTAT.EXE
    WEBSCANX.EXE
    WFINDV32.EXE
    ZONEALARM.EXE

  • Next, the virus will scavenge the local drive for email addresses and using a combination of contacts and domains, construct a "fake" From: address and then send an email to addresses found with a W32/Bugbear-mm infected attachment - the subject line is selected from a list, as is the body text.

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -

    • The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.
  • Virus has this string within the non-compressed virus code -

    tanatos


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option