Library
My library

+ Add to library

Profile

Win32.HLLM.Bugbear

Added to the Dr.Web virus database: 2008-09-22

Virus description added:

Description

Win32.HLLM.Bugbear is a mass-mailing worm written in Microsoft Visual C/C++ and packed with UPX.
The program contains Trojan components and installs a back-door into an infected computer which may allow an infected system to be remotely compromised and release sensitive information.
The program makes attempts to terminate some anti-virus programs and firewalls.
The worm mass propagates via E-mail using its own SMTP engine decreasing substantially mail servers throughput. It retrieves the information on SMTP-servers accessible from an infected computer from the registry entry

HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Internet Account Manager\\\\Accounts
The worm is also capable of spreading through network shares.

To infect the target system the worm uses a well-known MS Internet Explorer security system vulnerability - the so called Incorrect MIME Header Can Cause IE to Execute E-mail Attachment - which allows a program file (containing a virus program) to automatically run even on message previewing in such mail clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).

Spreading

The infected with Win32.HLLM.Bugbear message received to a user`s computer posses the following characteristics:

Subject: varies and is selected by the worm from a list of subjects within its source code. Attachement name: also varies but always has two extensions , the last of which may be .exe, .scr or .pif. The following words may also form the attachment name: Card, Docs, image,images, music, news, photo, readme, resume, Setup, song, video.
Attachment size: always 50,688 bytes

Action

When in a system the worm places its viral copy to a Windows system folder. This file has random name and .exe extension. Below go some of the file names recieved at testing:

  • C:\\\\WINDOWS\\\\SYSTEM\\\\HHOM.EXE
  • C:\\\\WINDOWS\\\\SYSTEM\\\\VAAJ.EXE
  • To secure its automatic execution after every system start-up it adds the value \\\"%set of randomly chosen characters%\\\" = %randomly named file %.EXE to the registry entry
    HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce

    For example,
    HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\llw = hhom.exe

    The procedure is repeated when it places its viral copies to a start up folder of a local drive and to network shares.

    Then, the worm creates encrypted .dll and .dat files in Windows folder. The file names are randomly generated by the worm and may be, for example, DDGUJUG.DLL or FFKQPQK.DLL They do not contain any malicious code.

    When in a system the worm makes attempts to terminate some popular anti-virus programs and firewalls. Dr.Web anti-virus is not on the list of the process the worm tries to kill that is why Doctor Web for Windows scanner keeps smoothly working and insures the unconditional detection of the worm files placed to a start up folder of the system registry. Neither the worm affects Spider Guard resident monitor operation which will block the worm`s attempts to penetrate the computer at a mail receipt stage should the mail box receives an infected with the worm message.

    Attention! If Doctor Web scanner intercepts Win32.HLLM.Bugbear in a system we strongly recommend to conduct a full scanner check of the computer in order to remove all the worm\\\'s copies present, in start up folder as well.

    The worm also opens a TCP port 36794 and listens Internet for the virus originator commands. This particular Trojan component of the worm enables it to upload and download files into a damaged system, initiate arbitrary commands, run or terminate executables.