Mobile menu

Pages in topic:   [1 2] >
Recent viruses in emails - some form of bugbear? (Community: 'Yes')
Thread poster: Rishi Miranhshah

Rishi Miranhshah  Identity Verified
English to Panjabi
+ ...
Jun 6, 2003

Since yesterday, I'm receiving other translators' mails in my inbox, not intended for me. The attachments are blocked by my anti-virus for being potentially harmful - file extentions are .scr
The mails appear to be genuine mails (quoting translation rates...)
My second concern is whether they're reaching their intended recipients.

Does anyone have an idea, if it's some form of a virus trying to multiply???


Direct link Reply with quote
 
smorales30  Identity Verified
Local time: 20:31
English to Spanish
+ ...
Yes, it is... Jun 6, 2003

Check the mcafee.com website. What you explain here fits their description of how Bugbear spreads... Be careful!

Direct link Reply with quote
 

Uldis Liepkalns  Identity Verified
Latvia
Local time: 21:31
Member (2003)
English to Latvian
+ ...
Yes, it is Jun 6, 2003

Tanatos, aka Bugbear:

I-Worm.Tanatos.b (aka Bugbear.b)
Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos
Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file
Tanatos also creates the following file in the Windows directory:

%rnd name%.dat - its internal data file
and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy

Spreading
To send infected messages the worm uses a built-in SMTP
engine. The worm searches for victim emails in following files on the available
disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX
The infected messages have different Subject, Body, and File Attachment
names that are selected from many variants:
Subject:

The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe".
2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

The file name extension is also randomly selected from the same variants:
".scr", ".pif", ".exe".
3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files
and uses their full names as the %filename% for the infected attachment. In this
case they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif

4. "setup.exe"

The infected emails randomly have the IFrame security breach that runs upon
the opening the an infected email. In the rest of the messages the worm
activates only when a user clicks on the attached file.
Infecting EXE files
While infecting a file the worm writes itself
to the end of the file. The worm's copy is "incorporated" into the victim
machine's file structure as a "standard" .EXE file in the "Program Files"
directory. Copy names include:
winzipwinzip32.exe
kazaakazaa.exe
ICQIcq.exe
DAPDAP.exe
Winampwinamp.exe
AIM95aim.exe
LavasoftAd-aware 6Ad-aware.exe
TrillianTrillian.exe
Zone LabsZoneAlarmZoneAlarm.exe
StreamCastMorpheusMorpheus.exe
QuickTimeQuickTimePlayer.exe
WS_FTPWS_FTP95.exe
MSN Messengermsnmsgr.exe
ACDSee32ACDSee32.exe
AdobeAcrobat 4.0ReaderAcroRd32.exe
CuteFTPcutftp32.exe
FarFar.exe
Outlook Expressmsimn.exe
RealRealPlayerrealplay.exe
Windows Media Playermplayer2.exe
WinRARWinRAR.exe
adobeacrobat 5.0readeracrord32.exe
Internet Exploreriexplore.exe

in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe

Infecting - networks
The Tanatos.b worm accounts for all network
resources, then copies itself to available resource (drives) startup folders
using random .EXE names or the name, "setup.exe". The worm also looks for
"standard" .EXE files (the same list as above) on shared resource drives, and
infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports
active applications
- terminates requested application
- runs local file
by master's request
- receives a file from master and runs it
- logs
keyboard and sends it to master
- opens HTTP server

Other
Tanatos.b terminates active debuggers, anti-virus and
firewall processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE
VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE
TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE
SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE
RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE
PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE
NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE
NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE
JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE
ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE
FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE
F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE
DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE
CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE
AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE
AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE
AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE
_AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE



[Edited at 2003-06-06 22:08]


Direct link Reply with quote
 

Sherey Gould  Identity Verified
Local time: 12:31
German to English
the email text comes from the person's own document file Jun 6, 2003

yes - happened to me yesterday (FROM a client - better that than the other way around!). The (long) text of the email message referred to a legitimate subject that I am familiar with from the company, so naturally I assumed it was okay. My Norton program stopped me from opening the email's attachment. Only much later did I get another email from the client explaining they had a virus.
The bug apparently picks a document the user has stored on their computer in the "My Documents" file at random and uses that document as the text inserted into the email message. (that "at random" part, IMHO, is the scariest thing about it...I mean, don't we all have things in that file NOT meant for general consumption!!)
Hope you can clear everything up quickly.


Direct link Reply with quote
 

Dinorah Maria Tijerino-Acosta
Local time: 14:31
English to Spanish
+ ...
So, how do you get rid of it? Jun 7, 2003

even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.

regards,

Dinorah


Direct link Reply with quote
 

two2tango  Identity Verified
Argentina
Local time: 16:31
Member
English to Spanish
+ ...
Before you kill the sender read this Jun 7, 2003

It is important to know that the apparent virus sender is most probably innocent. I found this information that could help avoid many a misunderstanding:

"The BugBear.b: worm looks for e-mail addresses in resident files in the infected computer and then uses them to generate both the "From" and the "To" fields of the mail it uses to propagate itself.

In other words, when you get an infected mail, it doesn't mean that the apparent sender's computer is infected. In fact it means that both addresses (To and From) were found in the infected computer. "
Source:
http://www.alertalab.com.ar/alertalab/default.asp
(a good on-line free Spanish-language virus report)


Direct link Reply with quote
 

Uldis Liepkalns  Identity Verified
Latvia
Local time: 21:31
Member (2003)
English to Latvian
+ ...
Re: So, how do you get rid of it? Jun 7, 2003

Try to visit www.kaspersky.com
They promissed to release free downloadable desinfector tool by yeterday evening, so it should be there and available.

Sinc.- Uldis

Dinorah María Tijerino-Acosta wrote:

even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.

regards,

Dinorah


Direct link Reply with quote
 

Clarisa Moraña  Identity Verified
Argentina
Local time: 16:31
Member (2002)
English to Spanish
+ ...
Try this link Jun 7, 2003

Dinorah María Tijerino-Acosta wrote:

even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.

regards,

Dinorah


Dinorah, try fix it downloading the following link
http://securityresponse.symantec.com/avcenter/FixBugb.exe

Regards,
Clarisa Moraña


Direct link Reply with quote
 

Dinorah Maria Tijerino-Acosta
Local time: 14:31
English to Spanish
+ ...
Thanks a lot Jun 8, 2003

I'll try it!

Regards,

Dinorah

Thanks a lot, I tried it and it worked perfectly. The virus also infected me with a "Trojan" virus so along with the instructions given by Symantec I also got rid of it. Thanks a lot!

Regards,

Dinorah

[Edited at 2003-06-08 01:25]


Direct link Reply with quote
 
Spencer Allman
United Kingdom
Local time: 19:31
Finnish to English
Hold on, though Jun 8, 2003

Hi

This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder?

regards

Spencer


Direct link Reply with quote
 

Fiona N�voa
Portugal
Local time: 19:31
Member (2003)
Portuguese to English
+ ...
BugBear Jun 8, 2003

Hi Dinorah,

I've also had trouble with bugbear but I received an email from the Panda Antivirus programme telling me how to get rid of any problems.

Take a look at the Panda site because it worked for me:
http://www.pandasoftware.com


Regards,

FiBi


Direct link Reply with quote
 

Uldis Liepkalns  Identity Verified
Latvia
Local time: 21:31
Member (2003)
English to Latvian
+ ...
Kaspersky promissed removal tool by Thuesday or Friday evening, Jun 9, 2003

so it should be available.

Uldis

Spencer Allman wrote:

Hi

This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder?

regards

Spencer


Direct link Reply with quote
 
xxxSimplyMe
English to German
www.symantec.com has that removal tool Jun 9, 2003

Symantec.com offers a free detection and removal tool.
You need to specify an email address - but download and scan starts immediately after entering - so you don't have to specify your real address... (Maybe good to know...)


Direct link Reply with quote
 
Charlotte Blank  Identity Verified
Local time: 20:31
Czech to German
+ ...
Readiris.DUS.exe 97k Byte Jun 17, 2003

This is what I got from an agency under the title of "Tools for your business". Being cautious I did not open it but asked the sender if he had sent it to me - and he told me that he had a virus... I tried SimpleMe's hint of McAfee and it seems that my computer has not been infected (yet). But anyway, it seems that all one can do is to be on one's guard all the time and not to trust anybody (which, in my opinion, is a quite dreadful outlook).

Direct link Reply with quote
 
Pages in topic:   [1 2] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Recent viruses in emails - some form of bugbear? (Community: 'Yes')

Advanced search






TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »
Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »



All of ProZ.com
  • All of ProZ.com
  • Term search
  • Jobs