W32/BabyBear
Analysis
- Virus is 32bit with a size of 204,802 bytes, and
was coded using Visual Basic 6 with a reliance on
MSVBVM60.DLL
- If the virus is run, it may display a fake error
message like this one -
Program Error
Application Error! Missing .Dll File
[OK]
- Next the virus may display a grayscale artistic
image of a mask and a title beneath of "Bugbear.B"
and the text "From the Creators of BugBear"
- The virus may alter the registry to run at Windows
startup from the path and file name that it was run
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Microsoft Corporation = (path and file name)
Msgmgr = (path and file name)
- The virus may create an icon in the system tray
with the related name "Microsoft Corporation"
- if user right-clicks on the icon it may cause the
virus to run it's Windows shut down routine
- Virus creates over 200 folders and numerous files
on the infected system -
Folders added:
c:\2Coding7
c:\3Coding51
c:\C2oding1
c:\C4oding67
c:\Cchoding74
c:\cCoding55
c:\cCoding67
c:\Ccoding74
c:\Ccodinllg74
c:\cCodlling67
c:\cCoduuing55
c:\Cczhoding74
c:\chCoding67
c:\Cjroding466
c:\Cnoding1
c:\Co2ding2
c:\Co4ding74
c:\Cod2ing3
c:\Codi2ng4
c:\Codi3ng11
c:\Codin2g5
c:\Codin3g23
c:\Codincg11
c:\Codincg23
c:\Codincgkk23
c:\Codincguu11
c:\Codinchg11
c:\Codincyg23
c:\Codinczyg23
c:\Coding1
c:\Coding11
c:\Coding12
c:\Coding142
c:\Coding17
c:\Coding2
c:\Coding23
c:\Coding23j
c:\Coding26
c:\Coding2c3
c:\Coding2ch3
c:\Coding3
c:\Coding31
c:\Coding331
c:\Coding4
c:\Coding411
c:\Coding42
c:\Coding432
c:\Coding44
c:\Coding44c
c:\Coding44j
c:\Coding466
c:\Coding4c2
c:\Coding4cy2
c:\Coding4czy2
c:\Coding4t4
c:\Coding5
c:\Coding51
c:\Coding51c
c:\Coding55
c:\Coding55t
c:\Coding5r1
c:\Coding6
c:\Coding67
c:\Coding67r
c:\Coding7
c:\Coding74
c:\Coding7n
c:\Coding7xn
c:\Codingc12
c:\Codingc12uu
c:\Codingc31
c:\Codingc31kk
c:\Codingch12
c:\Codingcy31
c:\Codingczy31
c:\Codingd2
c:\Codingd2yy
c:\Codingf1
c:\Codingn6
c:\Codingr42
c:\Codings3
c:\Codings4
c:\Codingsy4
c:\Codingt23
c:\Codingxn6
c:\Codingys3
c:\Codingyyf1
c:\Codinkkcg11
c:\Codinng4
c:\Codinng5
c:\Codinrg31
c:\Codintg12
c:\Codinxng5
c:\Codinycg11
c:\Codinygd2
c:\Codinzg466
c:\Codinzycg11
c:\Codinzzg67r
c:\Codirng23
c:\Codirng2xx3
c:\Coditng11
c:\Codixnng4
c:\Codiyngf1
c:\Codiyyng17
c:\Codizng55t
c:\Codizngsy4
c:\Codning3
c:\Codring11
c:\Codrinxxg11
c:\Codsing5
c:\Codsing5y
c:\Codsing6
c:\Codsinjjg6
c:\Codsizng5y
c:\Codsjjing5
c:\Codxning3
c:\Codzing4t4
c:\Codzingys3
c:\Codzzing5r1
c:\Cojjdings4
c:\Cojrding17
c:\Collding51c
c:\Conding2
c:\Cording17
c:\Cording1uu7
c:\Couuding44c
c:\Coxnding2
c:\Coyyding466
c:\Cozdingt23
c:\Cozdinygd2
c:\Croding466
c:\Crodinuug466
c:\Csoding7
c:\Csoding7jj
c:\Cysoding7
c:\Cysodinzg7
c:\czhCoding67
c:\Czodintg12
c:\Czodiyngf1
c:\Czzodingr42
c:\H2elp
c:\hCoding51cy
c:\hCoding51zcy
c:\Hechlp8
c:\Heclp8
c:\Heczhlp8
c:\Hel4p8
c:\Heljrp1
c:\Help
c:\Help1
c:\Help8
c:\Helrp1
c:\Helrp1uf
c:\Heslp
c:\Heyslp
c:\Hezyslp
c:\Hlueclp8
c:\Htelp8
c:\Htelpz8
c:\Hyelp1
c:\jcCoding55
c:\jjCodings3
c:\kkHeslp
c:\llCoding4c2
c:\Program Files\System
c:\Program Files\System1
c:\rHelp
c:\tCoding17
c:\tCoding74
c:\tCodinzg17
c:\tCodizngzz74
c:\Th3e Sims
c:\The 2Sims
c:\The 4S1ims
c:\The jr2Sims
c:\The r2Sims
c:\The rddaljflajflkjorjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj2Sims
c:\The S1ims
c:\The Sims
c:\Thec S1ims
c:\Thech S1ims
c:\Theczzh S1ims
c:\Thes Sims
c:\Theuuc S1ims
c:\Theys Sims
c:\Thezys Sims
c:\Thkes Sims
c:\Thte S1ims
c:\Thte Sz1ims
c:\Thye 2Sims
c:\Thye 2Szims
c:\Thyye 2Sims
c:\Trhe Sims
c:\Trxxhe Sims
c:\uuCoding2c3
c:\WINDOWS\wudnld20.tmp
c:\xxrHelp
c:\yCodsing6
c:\yCodsizng6
c:\yyCoding55
c:\yyHelp1
c:\zCodinrg31
c:\zCoditng1z1Files added:
c:\Attachment.exe
c:\Wscript.exe
c:\WINDOWS\Start Menu\Programs\StartUp\Microsoft® Corporation.exe
c:\jNotepad.exe
c:\kNotepad.exe
c:\lNotepad.exe
c:\Njotepad.exe
c:\Nkotepad.exe
c:\Nlotepad.exe
c:\Nojtepad.exe
c:\Noktepad.exe
c:\Noltepad.exe
c:\Noqtepad.exe
c:\Nortepad.exe
c:\Notejpad.exe
c:\Notekpad.exe
c:\Notelpad.exe
c:\Notepad.exe
c:\Notepadj.exe
c:\Notepadk.exe
c:\Notepadl.exe
c:\NotepadQ.exe
c:\NotepadW.exe
c:\Notepajd.exe
c:\Notepakd.exe
c:\Notepald.exe
c:\NotepaQd.exe
c:\NotepaWd.exe
c:\Notepjad.exe
c:\Notepkad.exe
c:\Noteplad.exe
c:\NotepQad.exe
c:\NotepWad.exe
c:\NoteQpad.exe
c:\NoteWpad.exe
c:\Notjepad.exe
c:\Notkepad.exe
c:\Notlepad.exe
c:\NotQepad.exe
c:\Notrepad.exe
c:\NotWepad.exe
c:\NoWtepad.exe
c:\Nqotepad.exe
c:\Nrotepad.exe
c:\NWotepad.exe
c:\qNotepad.exe
c:\rNotepad.exe
c:\WNotepad.exe
c:\WINDOWS\fNotrepad.exe
c:\WINDOWS\Notrefpad.exe
c:\WINDOWS\Notrepad.erxe
c:\WINDOWS\Notrepad.exe
c:\WINDOWS\Notrepad.exef
c:\WINDOWS\Notrepadg.exe
c:\WINDOWS\Notrepadr.exe
c:\WINDOWS\Notrepagd.exe
c:\WINDOWS\Notrepajd.exe
c:\WINDOWS\Notrepard.exe
c:\WINDOWS\Notrepatd.exe
c:\WINDOWS\Notrerpad.exe
c:\WINDOWS\Notretpad.exe
c:\WINDOWS\SYSTEM\Microsoft.ini
c:\WINDOWS\SYSTEM\Ngotrepad.exe
c:\WINDOWS\SYSTEM\Nhotrepad.exe
c:\WINDOWS\SYSTEM\Nodtrepad.exe
c:\WINDOWS\SYSTEM\Nogtrepad.exe
c:\WINDOWS\SYSTEM\Notrepad.exe
c:\WINDOWS\SYSTEM\Notrepdad.exe
c:\WINDOWS\SYSTEM\Notrtepad.exe
c:\WINDOWS\SYSTEM\Noturepad.exe
c:\WINDOWS\SYSTEM\Nrotrepad.exe
c:\WINDOWS\SYSTEM\Ntotrepad.exe
- Virus replaces existing files with a copy of itself
-
c:\WINDOWS\DEFRAG.EXE
c:\WINDOWS\WELCOME.EXE
- Virus may send itself via the MAPI application Outlook
in this format -
Subject: Please Confirm
Body:
Dear Sir or Madame, We have detected that you have placed a Order for Msn8. Before we start your Service please confirm your order. To confirm your order please check the attachement. Thanks, Microsoft Corporation Support
Attachment: (infected binary)