New Virus Alert W32/Bugbear.B-mm
Posted: 06th Jun, 2003 By: Anne
Anti-Virus firm MessageLabs has reported a new virus W32/Bugbear.B-mm, which was first reported on the 4th June. There have already been reports in our forums of members receiving this virus:
Email Characteristics
From the copies that we have stopped so far:
From: The sender address may be spoofed, and may not indicate the true address of the sender. The virus contains a number of domains that it appears to be capable of spoofing. Further analysis will determine whether this is the case or not.
Subject: Emails that we have thus far seen have varying subject lines, seemingly relating to information or documents plagiarized from the recipients infected machine.
Message Body: The body-text of the message is variable and appears to be taken from documents and files found on the recipients infected machine.
Attachment: The attachment is compressed in a modified UPX format. The file size is 72,192 bytes. Attachment names are also variable, possibly based on from filenames found on the infected machine with an extension of.
Either; scr, .pif or .exe
For example:
Crimbo.exe.scr,
Lotto.mbd.pif,
052003.ptx.exe,
My Money Backup.mbf.scr,
Captletterhead.doc.scr
Virus Behavior
Initial analysis suggests that the virus is a mass mailer. It appears to be very polymorphic in nature and compressed using a variant of UPX, however, it seems to have the ability to repack or modify itself during each generation, presumably in an attempt to foil simple anti-virus signature fingerprinting techniques.
In some copies that we have stopped, the MS01-020 auto-open exploit has been found, which will automatically execute the attachment just by reading the email on an unpatched Windows system.
Virus Payload
Initial analysis indicates that this virus may also be able to disarm local security software, such as anti-virus or firewall software. It may also be able to spread via network shares, as was the case with the earlier Bugbear.A strain.
Furthermore, it may also install a key-logging Trojan component that will enable an unscrupulous hacker to take control of the infected machine and download a file containing the users keystrokes, including information entered on websites such as passwords or credit-card details for example.
Comment
The virus includes a number of domain names that it appears to be capable of spoofing, including many major international banks, financial institutions and government authorities.
This is a particularly worrying trend in terms of the social engineering techniques now almost customary for any new virus to take hold. Not only can Bugbear leach confidential information from an infected machine, but it may also leave a backdoor wide open for hackers to take control of the machine and misappropriate passwords, credit-card details or for some other nefarious purpose.
From the pattern of Bugbear.B emails that we have stopped already this morning, we anticipate that this is likely to reach high-level outbreak very soon, particularly as the US begin to come online.
Detection
MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic predictive heuristics technology.
Latest UK ISP News
Cheap BIG ISPs for 100Mbps+
Cheapest ISPs for 100Mbps+
150Mbps
Gift: £25 Love2Shop Card