1. /
  2. Security Response/
  3. W32.Bugbear.B@mm

W32.Bugbear.B@mm

Risk Level 2: Low

Discovered:
June 4, 2003
Updated:
February 13, 2007 12:02:04 PM
Also Known As:
Win32.Bugbear.B [Computer Asso, W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend], W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [Kaspersky], W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]
Type:
Worm, Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-2001-0154


W32.Bugbear.B@mm worm is:
  • A variant of W32.Bugbear@mm.
  • A mass-mailing worm that also spreads through network shares.
  • Polymorphic and also infects a select list of executable files.
  • Possesses keystroke-logging and Backdoor capabilities.
  • Attempts to terminate the processes of various antivirus and firewall programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of 10 hard-coded, public Internet e-mail addresses. The sent information includes cached passwords and key-logging data.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

NOTES:




Security Response has received many submissions of corrupted W32.Bugbear.B@mm samples. A specific detection for this type of infected file has been added as W32.Bugbear.B.Dam. This detection is available in virus definitions dated June 6, 2003. Be sure to delete the files detected as W32.Bugbear.B.Dam.

Antivirus Protection Dates

  • Initial Rapid Release version June 5, 2003
  • Latest Rapid Release version August 17, 2012 revision 069
  • Initial Daily Certified version June 5, 2003
  • Latest Daily Certified version August 18, 2012 revision 017
  • Initial Weekly Certified release date June 5, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver