Win32:Bugbear-B

is an Internet virus written in Microsoft C and packed with UPX. It is polymorphic, it combines the UPX file compression with simple encryption.The virus spreads via email and via network shares. It drops the trojan horse with keylogging and backdoor capabilities. The virus arrives as a randomly named attachment in email message with variable subjects and body. The attachments can have the same filename as another file on the infected computer. The attachments can have double extensions with the final extension being EXE, SCR or PIF. It uses the well known IFrame exploit that allows it to run automatically on vulnerable computers without patch.

After execution of the infected attachment, the worm copies itself to the Windows STARTUP and SYSTEM directory under a random name. It then drops the keylogger to the SYSTEM directory also under a random name. Then it tries to copy itself to remote machines with open shared drives over the LAN. It contains the fixed list of filenames which it tries to infect remotely. Besides that, it tries to copy itself into the Startup folder. It also opens the port 1080 and listens for the commands from outside.

The following registry key is created:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"xxx" = "****.EXE"

The worm also contains very long list of antivirus and firewall programs it tries to kill every 20 seconds.

The worm then searches the email addresses in current inbox and in the files on a the local disk with the following extensions: ODS, MMF, NCH, MBX, EML, TBB and DBX. It uses its own SMTP routine to send the mails via the SMTP server found in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts

It falses the FROM and REPLYTO fields in similar way as Win32:Klez-H, so there is no obvious way how to find the real sender with the infected computer.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 5th June 2003 is able to detect this worm.