Worm:Win32/Bugbear.B@mm

Win32/Bugbear.B@mm is a mass-mailing e-mail worm that also spreads via unprotected network shares. The worm includes an unsecured backdoor component that leaves the infected system accessible to any attacker. Win32/Bugbear.B@mm continually monitors active processes and shuts down any matching an internal list of antivirus and security products. In addition, Win32/Bugbear.B@mm includes a key stroke logging component that can be used to capture keystrokes or other sensitive information. Win32/Bugbear.B@mm also checks the infected computer against an internal list of domain names associated with certain banking Web sites. If it finds a match, the worm enumerates cached passwords and sends them to the worm's author via e-mail.

 

 

Win32/Bugbear.B@mm sends a copy of itself via e-mail to addresses found on the infected system, using one of the discovered e-mail addresses in the From field. The subject line of the Win32/Bugbear.B@mm e-mail will be one of the following:

 

$150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
Hi!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help...
Re:
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
wow!
Your Gift
Your News Alert

 

The attachment may be randomly named based on file names the worm discovers in the My Documents folder, or the name may be one of the following:

 

Card
data
Docs
image
images
music
news
photo
pics
readme
resume
Setup
song
video

 

The filename will have one of the following extensions: .exe, .pif, .scr.

 

E-mail messages composed by the Win32/Bugbear.B@mm worm may exploit the vulnerability discussed in Microsoft Security Bulletin MS01-020, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment. This vulnerability could allow the attachment to run automatically on vulnerable systems that have not applied the updates addressed in the security bulletin.