Description
Win32.HLLM.Bugbear.3 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in MS Visual C++ and packed with UPX compression utility. The size of the program module of the worm, UPX-packed, is 52, 743 bytes.
The worm mass spreads via e-mail using its own SMTP engine.
The program contains a Trojan component – a key-logging utility.
It terminates operation of certain antivirus programs and firewalls.
To penetrate a system the worm utilizes a long-known incorrect MIME header exploit, which allows a program file (with a virus) attached to a mail message to get automatically launched at a simple message previewing such mail clients as MS Outlook and MS Outlook
Express (versions 5.01 and 5.5).
Spreading
Having penetrated a system, the worm starts sending itself using its own SMTP engine to all the addresses found in files with .dbx, .eml, .mbx, .mmf, .nch, .ods, .tbs extensions. The retrieved information is also used by the worm for composition of From addresses. The worm may also substitute the sender’s name using the huge list of names inside its body.
The mail message infected with the worm may look as follows:
Subject:
!!! WARNING !!!
25 merchants and rising
Announcement
CALL FOR INFORMATION!
Correction of errors
Cows
Daily Email Reminder
Greets!
Hello!
Hi!
I need help about script!!!
Interesting...
Introduction
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New Contests
New bonus in your cash account
News
Payment notices
Please Help...
Re:
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
Warning!
Your Gift
Your News Alert
[Fwd: look] ;-)
bad news
click on this!
empty account
fantastic
free shipping!
good news!
history screen
hmm..
its easy
new reading
update
various
wow!
I need help about script!!!
Interesting...
Introduction
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New Contests
New bonus in your cash account
News
Payment notices
Please Help...
Re:
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
Warning!
Your Gift
Your News Alert
[Fwd: look] ;-)
The
attachment name is made of file names found in local \"My Documents\" folder retrieved from the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal
The attachment may have .exe, .pif or .src extension. Sometimes the attached file may arrive in WinZip format. The attachments may also have the following names:
Card
data
Docs
image
images
music
news
photo
pics
readme
resume
Setup
song
video
Action
When in a system, the worm drops its copy to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s
C:\\Windows\\System32). Its name is randomly generated and has an .exe exteniosn. It also changes accordingly the following registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
so that it automatically starts at every Windows restart.
In the same folder the worm creates three .dll - formatted files. One of them is a Trojan key-logging utility. Its size is 5, 632 bytes.
The worm queries the registry key
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows
CurrentVersion\\
Explorer\\Shell Folders\\Cookies
In search of files in the Cookies folder which extension is not .dat. If it finds the files which have the string “ e-gold “ it deletes them.
The worm terminates operation of the following antivirus programs and firewalls.
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE