[CSRT] eSafe Alert - Win32.BugBear - Medium risk - eSafe Protects You

famnord
1

====================================================
Aladdin Content Security Response Team - Virus Alert

Win32.BugBear Vandal

Virus/Vandal name: Win32.BugBear Vandal
Threat Level: Medium
Alias: NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,
WORM_BUGBEAR.A
Platforms: Win 9X,Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Updated on: October 01, 2002
Arrival Form: Email
Type: Win32,Trojan
Damage: Create files,Send Email,Remote control,Theft of
information

Analysis
---------
Win32.BugBear is an email propagating Trojan exploiting Outlook Express
MIME type vulnerability. It sends information about the infected PC.
Upon arrival, it will usually self-execute on unhatched systems vulnerable
to the MIME type vulnerability. A patch for the MIME vulnerability in
Outlook Express 5 and 5.5 is available from Microsoft:
Microsoft Learn: Build skills that open doors in your career
y/bulletin/MS01-020.asp

Upon execution it will save a copy of itself under a random name in the
Windows System directory and will run on every restart or login by
inserting itself in the StartUp folder.

The Arriving Email
--------------------

From: A spoofed sender address.

Subject: A random subject from the following list (possibly other subject
lines):
$150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Confirmation of Recipes?
Correction of errors
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
hello!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
Payment notices
Please Help...
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
Your Gift
Your News Alert

Attached files:
----------------
A random file name with double extension and the last extension is .EXE,
SCR, or .PIF
May also contain random attached files from an infected PC.

Malicious Activity
-------------------
1. It searches for email addresses in the Windows Address Book and in
files with the extensions EML, MMF, MBX, TBB, OCS, DBX and NCH. It will
send itself using its'''' own SMTP engine.
2. It will attempt to stop the processes of various anti-virus and
personal firewalls it finds running.
3. It will listen on port 36794, waiting for remote control incoming
connections. This can allow a remote hacker full PC control.
4. It may run a keyboard logger to eavesdrop keyboard strokes.
5. It creates the following encrypted DLL and DAT files in the Windows
System directory:
    iccyoa.dll
    lgguqaa.dll
    okkqsa.dat
    ussiwa.dat

eSafe Users
------------
eSafe Gateway and Mail users are protected against this vandal with the
MIME-type exploit protection.
eSafe Gateway and Mail also block by default malicious files with double
extensions and files with the .PIF and .SCR extensions.

A vandal/virus signature update will be available shortly.

New Users
----------
More information about eSafe Content Security Products as well as trial
versions are available from: http://www.ealaddin.com/esafe

==========================================================================

For any information please feel free to contact us.
New security alerts, updates and information can be found at the CSRT
website: http://www.ealaddin.com/csrt

Regards,
      eSafe CSRT

--------------------------------------------------------------------------
------------
Aladdin. Securing The Global Village
eSafe Protects You - http://www.esafe.com

--------------------------------------------------------------------------------
For any eSafe related questions, please contact esafe.support@ealaddin.com
--------------------------------------------------------------------------------
This email is being sent by Aladdin Knowledge Systems Inc. (www.eAladdin.com)
You have received this message because our records indicate that you have
requested this information. Our mailing list is for the exclusive use of
Aladdin Knowledge Systems and is neither sold nor given to third parties.
If you no longer wish to receive emails from Aladdin, or your email address
has been added to our list without your consent, please unsubscribe by visiting:
http://www.ealaddin.com/maillist/maillist_signin.asp
mailto:listar@webmailer.ealaddin.com?subject=unsubscribe%20virus_updates
Thank you.
--------------------------------------------------------------------------------