Description
Win32.HLLM.Bugbear.3 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in MS Visual C++ and packed with UPX compression utility. The size of the program module of the worm, UPX-packed, is 52, 743 bytes.
The worm mass spreads via e-mail using its own SMTP engine.
The program contains a Trojan component – a key-logging utility.
It terminates operation of certain antivirus programs and firewalls.
To penetrate a system the worm utilizes a long-known incorrect MIME header exploit, which allows a program file (with a virus) attached to a mail message to get automatically launched at a simple message previewing such mail clients as MS Outlook and MS Outlook
Express (versions 5.01 and 5.5).
Spreading
Having penetrated a system, the worm starts sending itself using its own SMTP engine to all the addresses found in files with .dbx, .eml, .mbx, .mmf, .nch, .ods, .tbs extensions. The retrieved information is also used by the worm for composition of From addresses. The worm may also substitute the sender’s name using the huge list of names inside its body.
The mail message infected with the worm may look as follows:
Subject:
!!! WARNING !!! 25 merchants and rising Announcement CALL FOR INFORMATION! Correction of errors Cows Daily Email Reminder Greets! Hello! Hi! I need help about script!!! Interesting... Introduction Just a reminder Lost & Found Market Update Report Membership Confirmation My eBay ads New Contests New bonus in your cash account News Payment notices Please Help... Re: Report SCAM alert!!! Sponsors needed Stats Today Only Tools For Your Online Business Warning! Your Gift Your News Alert [Fwd: look] ;-) bad news click on this! empty account fantastic free shipping! good news! history screen hmm.. its easy new reading update various wow! I need help about script!!! Interesting... Introduction Just a reminder Lost & Found Market Update Report Membership Confirmation My eBay ads New Contests New bonus in your cash account News Payment notices Please Help... Re: Report SCAM alert!!! Sponsors needed Stats Today Only Tools For Your Online Business Warning! Your Gift Your News Alert [Fwd: look] ;-)The attachment name is made of file names found in local \"My Documents\" folder retrieved from the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal
The attachment may have .exe, .pif or .src extension. Sometimes the attached file may arrive in WinZip format. The attachments may also have the following names:
Card data Docs image images music news photo pics readme resume Setup song video
Action
When in a system, the worm drops its copy to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s
C:\\Windows\\System32). Its name is randomly generated and has an .exe exteniosn. It also changes accordingly the following registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
so that it automatically starts at every Windows restart.
In the same folder the worm creates three .dll - formatted files. One of them is a Trojan key-logging utility. Its size is 5, 632 bytes.
The worm queries the registry key
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows
CurrentVersion\\
Explorer\\Shell Folders\\Cookies
In search of files in the Cookies folder which extension is not .dat. If it finds the files which have the string “ e-gold “ it deletes them.
The worm terminates operation of the following antivirus programs and firewalls.
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE