w32/BugBear.B Last Updated 06/05/03 1:50pm

w32/BugBear.B is an email virus that infects Windows machines and is spreading in the wild. w32/BugBear.B is a mass mailing worm that also spreads through open network shares and installs a keylogger Trojan. The worm spoofs the address of the sender with a random address and uses its own SMTP engine to send mail from the infected client.

The subject of the email is taken from an existing email in the infected clients inbox.

The attachment name is a filename taken from files found on the infected machine and is known to have either a .PIF, .EXE, or .SCR extension.

The body of the message varies and may include file fragments.

When w32/BugBear.B runs it will attempt to copy itself to the startup folder using a random file name. After copying itself to the startup folder of the local machine it will attempt to copy itself to the startup folder of other machines on the network.

w32/BugBear.B also installs a keylogger Trojan. The file name of the keylogger is a randomly generated with a .dll extension and is placed in the SYSTEM directory. The information collected by the Keylogger is placed in 2 similarly named files also in the SYSTEM directory. The Trojan listens on port 1080.

w32/BugBear.B will also try to infect files try to terminate antivirus and firewall software running on the infected machine.

The current 4270 Dat/SuperDat released by NAI will detect and remove w32/BugBear.B.

Symantec definitions dated 6-5-2003 and later detect and remove w32/BugBear.B. The definitions are available through the LiveUpdate feature of Norton Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_100358.htm from NAI regarding w32/BugBear.B.

http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html from Symantec regarding w32/BugBear.B.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.