Bugbear Alert

infectionvectors.com

April 2004

The release of Bugbear.E triggered this update. Previous versions of the worm have spread very quickly.

Bugbear.E is similar to previous versions of the Bugbear family: it is a mass mailer that lifts addresses/targets from files located on the infected machine’s local disk. Bugbear.E, however, exploits a relatively new vulnerability in Windows’ Internet Explorer. The problem allows for code execution across the security domains established by IE. For additional information regarding the respective advisory, see MS04-004 at: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx. If there are unpatched boxes in the network and ActiveX controls are not restricted from being downloaded/executing, this worm can present a significant threat to the enterprise.

Worm Functions

The worm, once executed, will do the following:

Create 4 files on the local machine (in Win2K: C:\Winnt\System32\ and given random filenames. 3 will end with “.dll” and 1 will end in “.exe.”)

Create 2 Registry keys (1 to start the worm at every reboot, 1 to cover the actions of the data stealing component)

Kill security program processes (such as anti-virus, firewalls, etc.)

Lift target addresses from local disk

Send a randomly crafted email to each target, with a copy of the worm attached

Send an email to the worm creator with information stolen from the local machine (this information includes cookies, screen text, keystroke logging data, and the contents of the Clipboard)

Previous versions of this worm have had infection vectors that include hitting network shares and infecting executables on the compromised system. Bugbear.B also opened a backdoor on local machines (port 1080). Previous Bugbear mailers operated on a timer of 120 minutes, meaning that random spikes in IDS or firewall activity are quite likely.

Identification

Email:

The “From:” field will be either a randomly selected address taken from the local system or one of approximately 1900 words hard-coded into the worm.

The email that carries Bugbear.E will have a subject of one of the following:

Hello!

update

hmm..

Payment notices

Just a reminder

Correction of errors

history screen

Announcement

various

Introduction

Interesting...

I need help about script!!!

Stats

Please Help...

Report

Membership Confirmation

[Fwd: look] ;-)

Today Only

New Contests

Lost & Found

bad news

wow!

fantastic

click on this!

Market Update Report

empty account

My eBay ads

Cows

25 merchants and rising

CALL FOR INFORMATION!

new reading

Sponsors needed

SCAM alert!!!

Warning!

its easy

free shipping!

News

Daily Email Reminder

Tools For Your Online Business

New bonus in your cash account

Your Gift

Re:

good news!

Your News Alert

Hi!

!!! WARNING !!!

Note: the subject of the email carrying the stolen information is: “Hello!”

The attachment will have the name of a randomly selected file that exists on the local system, making it nearly impossible to predict. This file will have an extension of “.zip” or “.htm.”

Mitigation

Block ZIP and HTM extensions from entering via the mail system. Bock external connections to TCP 25 from LAN devices.

Additional Information

This worm has also gone by the names: Tanatos and PWSteal.Hooker.Trojan.