Threat behavior
Win32/Bugbear copies itself to locations such as the Windows startup folder and Windows system folder. It disables security-related programs and other applications and modifies the registry in order to run automatically each time Windows starts.
The worm can drop a Trojan .dll file that records and sends keystrokes to attackers. The worm also opens a TCP port as a backdoor to receive commands from attackers, return information, and connect to a Web server. An attacker can use the backdoor to perform operations such as running or deleting files, terminating processes, gathering passwords, and collecting keystrokes that the .dll file captures. The worm can distribute the collected data through e-mail, HTTP, or the backdoor.
The worm spreads by sending a copy of itself as an attachment to e-mail addresses found on the computer. The attachment can have a double extension, such as .txt.exe. The worm runs when the user opens the attachment. If Microsoft Security Bulletin MS01-020 or MS01-027 is not installed on the computer, the worm runs when the user only previews or opens the e-mail that contains the attachment.
The worm can also spread by copying itself to the Startup folder of writeable administrator network shares. The worm then runs automatically on the remote computer each time Windows starts. The worm can disrupt shared network resources, such as causing a printer to print many pages of useless data.
Some Win32/Bugbear variants are polymorphic file infectors. The worm targets frequently used applications such as regedit.exe and notepad.exe, appending its code to the file. Some variants create worm copies in other locations, such as in folders of certain file-sharing applications. The worm copy uses the name and extension of an existing file in the folder and appends an .exe extension. For example, if there is a file named abc.jpg in the folder, the worm can create a copy of itself there named abc.jpg.exe.
Prevention