CDROM-Guide forums

Go Back   CDROM-Guide forums > Main Forums > Open to All Computer Related Topics > Computer Networking & Security
FAQ Calendar Mark Forums Read
Open   CSec   Data   DevDrv   CoOp   Audio   CDRW   CDG   VCD   DVD   HD DVD   Mac   VGB   PS2   DC   Xbox  


 
 
Thread Tools Display Modes
  #1  
Old Oct 01, 2002, 04:24 AM
Trader Trader is offline
Veteran
 
Join Date: Jun 2001
Location: Weston Super Mare, Somerset, UK
Posts: 558
Default Virus Alert Notification

sponsored links

 
Virus Alert Notification

Win32.Bugbear
Alias: WORM_NATOSTA.A, Worm/Tanatos
Category: Win32
Type: Worm

CHARACTERISTICS
Win32.Bugbear is an e-mail worm written in MSVC.

The worm arrives attached to an e-mail. It appears to get the attachment name from files on the infected system. Therefore, the attachment name is unpredictable. The telltale sign is the double extension. The second extension can be pif, exe or scr. The file size is 50,688 bytes (UPX packed).

The message appears to be an existing message taken from the infected system, then replied to or re-sent with the worm attached.

To ensure the executable component of the worm will be run when Windows restarts, the worm drops a copy of itself to the current user's startup folder with a random filename starting with the letter C, for example "CGK.EXE". A second copy is dropped to the system directory, with a filename starting with letter F, for example "FCMY.EXE". The following registry key is then created and points to this copy:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunOnce"

The name of the key value starts with letter T followed by two randomly generated letters, for example "TSE".

Three files are dropped into the system directory by the worm with random names which will each have a .DLL extension. Two of them are data files, the other is a key logging trojan. In addition, two other data files with random names and .DAT extensions are dropped to the Windows directory.

The worm regularly searches and terminates the following Antivirus/Firewall processes if they are found in memory:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

It also enumerates network shares and listens on TCP port 36794.

****ysis by Hamish O'Dea
  #2  
Old Oct 01, 2002, 08:28 AM
gooner gooner is offline
Veteran
 
Join Date: Jan 2002
Location: London, UK
Posts: 1,795
Default

Is anything meant by this post Trader?
  #3  
Old Oct 01, 2002, 09:09 AM
Trader Trader is offline
Veteran
 
Join Date: Jun 2001
Location: Weston Super Mare, Somerset, UK
Posts: 558
Default

if you dont know then you have never had a virus ?
  #4  
Old Oct 01, 2002, 10:02 AM
gooner gooner is offline
Veteran
 
Join Date: Jan 2002
Location: London, UK
Posts: 1,795
Default

I do know, but no-one really posts information on viruses unless someone has asked what a certain virus is, if we all posted info on viruses, worms and trojans all day then this board would be spining out of control, also it should be posted in the Computer Security and Network Forums - Thats what I was getting at
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
virus alert problem help!!!!! SMID Computer Networking & Security 1 Apr 23, 2004 11:52 AM
<<<<<<<<<Novarg Virus - Read In>>>>>>>>>> gooner Open to All Computer Related Topics 4 Jan 27, 2004 07:37 PM
Virus Alert ! VLC Open to All Computer Related Topics 25 Nov 13, 2003 06:45 AM
Virus Alert KingDoc Open to All Computer Related Topics 4 Oct 08, 2002 11:17 AM
virus alert scousemouse Open to All Computer Related Topics 1 Oct 04, 2002 03:53 AM


All times are GMT -5. The time now is 03:48 AM.



Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 1996-2009 CDROM-Guide.com. All rights reserved