Dismiss Notice
Alien Soup is a free community for fans of science-fiction, horror, & fantasy! Everybody is welcome here.

VIRUS ALERT- W32/Bugbear.b@MM

Discussion in 'Open Chat' started by the_alliance, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. the_alliance

    the_alliance Rocket Ranger

    Joined:
    Dec 2, 2002
    Location:
    California, United States
    (it's really long, and you might not need all that stuff, but i'm posting it anyway, just in case you do) THE FOLLOWING IS THE OFFICIAL INFO from the McAfee Website:

    -- June 05, 2003 --
    Due to a further increase in prevalence, the risk assessment of this threat has been upgraded to High. AVERT has received a large number of truncated samples. These are damaged and do not infect. The next DAT release will contain detection of these samples as W32/Bugbear.b.dam. Additionally samples have been received that suggest the virus can mail the encrypted keylog file during its propagation routine.
    -----------------------------------------------------------------

    This is a complex worm that contains many different elements:

    Mass-mailer
    Network Share Propagator
    Keylogger
    Remote Access Trojan
    Polymorphic Parasitic File Infector
    Security Software Terminator
    Mass-mailing

    This worm emails itself to addresses found on the local system (in files and email messages). This goes for both the TO and FROM fields. Thus the sender address is spoofed, or forged, and not a direct indication of an infected user. It extracts addresses from file names containing these strings:

    .DBX
    .EML
    INBOX
    .MBX
    .MMF
    .NCH
    .ODS
    .TBB
    The default SMTP server specified in the Internet Account Manager is used to send messages:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager
    The virus code contains email subject strings and attachment names. However, the original variant of this virus typically mailed using information not present in the virus. Suggesting that there is a higher probability of the virus using words and filenames contained on the infected system (including those from old email messsages). Possible message subject lines include the following (however, other random subject lines are also possible):
    25 merchants and rising
    Announcement
    bad news
    CALL FOR INFORMATION!
    click on this!
    Correction of errors
    Cows
    Daily Email Reminder
    empty account
    fantastic
    free shipping!
    Get 8 FREE issues - no risk!
    Get a FREE gift!
    Greets!
    Hello!
    Hi!
    history screen
    hmm..
    I need help about script!!!
    Interesting...
    Introduction
    its easy
    Just a reminder
    Lost & Found
    Market Update Report
    Membership Confirmation
    My eBay ads
    New bonus in your cash account
    New Contests
    new reading
    News
    Payment notices
    Please Help...
    Re: $150 FREE Bonus!
    Report
    SCAM alert!!!
    Sponsors needed
    Stats
    Today Only
    Tools For Your Online Business
    update
    various
    Warning!
    wow!
    Your Gift
    Your News Alert
    The message body varies and may contain fragments of files found on the victim's system (including old email messsages). The attachment name also varies, but may contain the following strings:

    Card
    Docs
    image
    images
    music
    news
    photo
    pics
    readme
    resume
    Setup
    song
    video
    Followed by an extension:
    .exe
    .pif
    .scr
    Filename may also be taken from files found in the personal folder as denoted in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Shell Folders\Personal
    It is common for the attachment name to contain a double-extension (ie. .doc.pif). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).
    Installation

    The worm copies itself to the START UP folder using a random file name (such as):

    Win98 : C:\WINDOWS\Start Menu\Programs\Startup\BSFS.EXE
    2k Pro : C:\Documents and Settings\(username)\Start Menu\Programs\Startup\BSFS.EXE
    Network share propagation

    The worm attempts to copy itself to the Startup folder of remote machines on the network (as *.EXE - described above).

    Keylogging

    The virus installs a keylogger DLL, which it uses to captured typed keystrokes. The name of this DLL is random, contains 7 characters followed by .dll and is placed in the SYSTEM (%SysDir%) directory. Two other files, using similar names, are also placed there. These other files contain encrypted, captured, information. A small randomly named .dat file is placed in the WINDOWS (%WinDir%) directory.

    Remote Access Trojan

    The worm listens on TCP Port 1080 for commands, allowing a remote attacker to gain access to the compromised system.

    Parasitic File Infecting

    The virus attempts to infect specific executables. It retrieves the path to the Program Files directory from the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    It also tries to infect the following files:
    hh.exe
    mplayer.exe
    notepad.exe
    regedit.exe
    scandskw.exe
    winhelp.exe
    ACDSee32\ACDSee32.exe
    Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    adobe\acrobat5.0\reader\acrord32.exe
    AIM95\aim.exe
    CuteFTP\cutftp32.exe
    DAP\DAP.exe
    Far\Far.exe
    ICQ\Icq.exe
    Internet Explorer\iexplore.exe
    kazaa\kazaa.exe
    Lavasoft\Ad-aware 6\Ad-aware.exe
    MSN Messenger\msnmsgr.exe
    Outlook Express\msimn.exe
    QuickTime\QuickTimePlayer.exe
    Real\RealPlayer\realplay.exe
    StreamCast\Morpheus\Morpheus.exe
    Trillian\Trillian.exe
    Winamp\winamp.exe
    Windows Media Player\mplayer2.exe
    WinRAR\WinRAR.exe
    winzip\winzip32.exe
    WS_FTP\WS_FTP95.exe
    Zone Labs\ZoneAlarm\ZoneAlarm.exe
    Security Software Terminating

    ACKWIN32.exe
    ANTI-TROJAN.exe
    APVXDWIN.exe
    AUTODOWN.exe
    AVCONSOL.exe
    AVE32.exe
    AVGCTRL.exe
    AVKSERV.exe
    AVNT.exe
    AVP32.exe
    AVP32.exe
    AVPCC.exe
    AVPCC.exe
    AVPDOS32.exe
    AVPM.exe
    AVPM.exe
    AVPTC32.exe
    AVPUPD.exe
    AVSCHED32.exe
    AVWIN95.exe
    AVWUPD32.exe
    BLACKD.exe
    BLACKICE.exe
    CFIADMIN.exe
    CFIAUDIT.exe
    CFINET.exe
    CFINET32.exe
    CLAW95.exe
    CLAW95CF.exe
    CLEANER.exe
    CLEANER3.exe
    DVP95.exe
    DVP95_0.exe
    ECENGINE.exe
    ESAFE.exe
    ESPWATCH.exe
    F-AGNT95.exe
    FINDVIRU.exe
    FPROT.exe
    F-PROT.exe
    F-PROT95.exe
    F-STOPW.exe
    IAMAPP.exe
    IAMSERV.exe
    IBMASN.exe
    IBMAVSP.exe
    ICLOAD95.exe
    ICLOADNT.exe
    ICMON.exe
    ICSUPP95.exe
    ICSUPPNT.exe
    IFACE.exe
    IOMON98.exe
    JEDI.exe
    LOCKDOWN2000.exe
    LOOKOUT.exe
    LUALL.exe
    MOOLIVE.exe
    MPFTRAY.exe
    N32SCANW.exe
    NAVAPW32.exe
    NAVLU32.exe
    NAVNT.exe
    NAVW32.exe
    NAVWNT.exe
    NISUM.exe
    NMAIN.exe
    NORMIST.exe
    NUPGRADE.exe
    NVC95.exe
    OUTPOST.exe
    PADMIN.exe
    PAVCL.exe
    PAVSCHED.exe
    PAVW.exe
    PCCWIN98.exe
    PCFWALLICON.exe
    PERSFW.exe
    RAV7.exe
    RAV7WIN.exe
    RESCUE.exe
    SAFEWEB.exe
    SCAN32.exe
    SCAN95.exe
    SCANPM.exe
    SCRSCAN.exe
    SERV95.exe
    SPHINX.exe
    SWEEP95.exe
    TBSCAN.exe
    TDS2-98.exe
    TDS2-NT.exe
    VET95.exe
    VETTRAY.exe
    VSCAN40.exe
    VSECOMR.exe
    VSHWIN32.exe
    VSSTAT.exe
    WEBSCANX.exe
    WFINDV32.exe
    ZONEALARM.exe




    Indications of Infection

    - Presense of strange EXE file in the STARTUP folder
    - System listening on TCP Port 1080
    Spawns Print Jobs on Network Printers

    There have been reports from the field that after execution of the virus it sends print jobs to all network printers. Avert has been able to reproduce this in their labs and the worm attempts to print its file contents to network printers.




    Method of Infection

    This virus spreads over the network (via network shares) and by mailing itself (using it's own SMTP engine).

    The virus contains a long list of domain names, seemingly for email forging purposes:
    1natbanker.com 1nationalbank.com 1stbk.com 1stfed.com 1stfederal.com 1stnatbank.com 1stnationalbank.com 1stnb.com 1stnewrichmond.com 1stsecuritybank.com 1stsource.com 365online.com 53.com abbeynational.co.uk abbybank.com abingtonbank.com abnamro.be abramsbank.com abtbank.com accbank.ie acommunitybk.com adirondacktrust.com advance.com.au advance-bank.de advancefinancial.com aea-bank.com afbank.com affinbank.com.my agfirst.com agrobresciano.it ahli.com aib.ie aibusa.com aigprivatebank.com ain.hangseng.com alettibank.it allbank.com allbank.de allegiantbank.com alliancebank.com alliance-bank.com alpbank.com alpha.gr alpinebank.com altapd.it amagerbanken.dk ambfinancial.com amcore.com ameribank.com american-bank.com americanbankmn.com americanbankmontana.com americanexpress.com americanfsb.com americannationalbank.com americantrust.com amgb.com amsouth.com anb.com.sa anb.portalvault.com anbcleveland.com anbfinancial.com anbnet.com anchorbank.com anchornetbank.com antonveneta.it anz.com.au arabank.com arjil-associes.com arvest.com asbbank.co.nz asbonline.com ashefederal.com askbm.co.uk assbank.it assocbank.com atlanticcentral.com auburndalecoop.com avbpgh.com avsb.com axa.be azzoaglio.it ba-ca.com baldwinfnb.com baltcosavings.com balticbankinggroup.com banamex.com bancaakros.webank.it bancadibologna.it bancadipiacenza.it bancadirimini.it bancadisassari.it bancaetruria.it bancaintesa.it bancamarch.es bancamediolanum.it bancaprofilo.it bancaucb.com bancavalle.it bancfirst.com bancoatlantico.es bancobrascan.com.br bancocuscatlan.com bancodisicilia.it bancoetcheverria.es bancogalicia.com.ar bancooccidente.com.co bancopopular.com bancopopular.es bancoreal.com.br bancorio.com.ar bancosantander.es bancosantos.com.br bancourquijo.es bancpost.ro banespa.com.br banesto.es banif.pt bank.guarantygroup.com bank.lv bank1saar.de bank-and-trust.com bankatlantic.com bankatmbc.com bankatsecurity.com bankatunited.com bankaudiusa.com bankcenterfirst.com bankcnb.com bankcom.com bankcsb.com bankdirect.co.nz bank-ehinger.ch bankersbankusa.com bankerstrust.com bankeureka.com bankffs.com bankfirst.com bankgesellschaft.de bankimherzenbayerns.de bankmidsouth.com bankmidwest.com banknasb.com banknbyc.com bankncsb.com banknewport.com banknorth.com banknorthct.com banknorthma.com banknorthvt.com banknr.com bankoa.es bankofamerica.com bankofannarbor.com bankofbotetourtonline.com bankofclarkcounty.com bankofclarke.com bankofcleveland.com bankofcyprus.com bankofdelmar.com bankofengland.co.uk bankoferath.com bankoffallriver.com bankofgranite.com bankofinternet.com bankofireland.ie bankofjamestownky.com bankoflakemills.com bankofmarin.com bankofmarion.com bankofmccreary.com bankofnewglarus.com bankofny.com bankofpetaluma.com bankofscotland.co.uk bankofthesierra.com bankofthewest.com bank-of-tidewater.com bankone.com bankonnet.com bankorient.com bankov.com bankpds.com bankplus.com bankpnb.com bankrantoul.com bankrcb.com bank-riogrande.com banksc.com banksnb.com bankunited.com bankwest-sd.com bankwi.com bankwmass.com banorte.com banque-de-savoie.com banquepopulaire.fr banrbank.com banrisul.com.br banxico.org.mx barclays.co.uk barclays.pt barnatl.com basl.sk bawag.com bayernlb.de baylake.com bayshoretrust.com bayvanguard.com bbandt.com bbbank.de bbky.com bcc.carugate.mi.it bccbrescia.it bccfc.it bccmacerone.it bccsanteramo.it bcctriuggio.it bce.fin.ec bcee.lu bcentral.cl bcf.ch bcp.pt bcsbank.com bcv.ch bde.es belmontbank.com beneficial.com benfranklinbank.com bes.pt bethmann-bank.de bevbank.com bfg.de bhf-bank.com bi.go.id bi.is bibank.com bics.fr bii.co.id bipop.it bischofsheimer-vb.de biverbanca.it bkb.ch bkbank.com bkk.no bks.at blcnet.com blueridgebank.com bluestem.com blx.com bmo.com bmpro.it bnbank.com bng.nl bnm.gov.my bnp.com.ar bnpnet-entreprises.bnpbank.com bnpparibas.com bnz.co.nz bof.fi bofm.com bogj.com boh.com bok.or.kr boonebank.com borel.com borkenervb.de bossa.pl bot.or.th botc.com bowc.com bowmillsbank.com bp.fin.ec bpa.it bpatlantico.pt bpci.it bpda.it bpf.it bpi.com.ph bpi.it bpic.fr bplazio.it bpm.it bpn.it bpnord.fr bportugal.pt bpr.it bpspoleto.it bradesco.com.br bradfordbank.com bradfordfsb.com bradynationalbank.com bred.fr brentwoodbank.com bristol-west.co.uk broad-national-bank.com broadwaybank.com broadwayfed.com brooklinesavings.com brooklynbank.com brucetonbank.com bsa.cl bsbbank.com bsi.si bsk.com.pl bsnb.com bsp.gov.ph bsp.it bsvnet.com bundesbank.de burlbank.com busey.com business.co.uk businessbank.com bw-bank.de ca-alpesprovence.fr ca-alsace-vosges.fr cab.it caixagalicia.es caja-granada.es cajastur.es calbanktrust.com callawaybank.com cambridgesavings.com ca-midi.fr canajocnb.com canonbank.com ca-normand.fr capbank.com capebankonline capecodcoop.com capecodfive.com capfed.com capitolbancorp.com capstate.com carifirenze.it carige.it caripisa.it caript.it carispfo.it carispo.it carrollbank.com carrolltonbank.com carverbank.com cascadebank.com cashbox.de cassalombarda.it cassapadana.it cbankandtrust.com cbc.gov.tw cbnk.com cbnv.com cbolobank.com cboviedo.com cbsbank.com cbtks.com ccbanc.com cc-bank.de ccbg.com ccbonline.com ccf.fr ccm.es centier.com central-bank.com centralbank.net central-bank.net centralbankutah.com centralbk.com centralbnk.com centralnational.com centralstatebank.com centreville-nat-bank.com centura.com cfbdecorah.com cfbx.com cfirst.com cfsb.com cgd.pt charterbank.com charter-bank.com charternationalbank.com charterone.com chase.com chemicalbankmi.com chevychasebank.com chinatrust.com.tw chipbank.com chittenden.com choiceone.com cibc.com cin.fr citibank.com citicorp.com citizensardmore.com citizensbank.com citizensbankbaytown.com citizensbankwv.com citizensfsb.com citizenslc.com citizensnb.com citizenssavingsbank.com citizensstbank.com citizenstrust.ca citizns.com citnatbank.com citynationalbank.com cityntl.com citywidebanks.com civibank.it civicbank.com clariden.com clevelandfed.org clevelandstatebank.com clintonnational.com clnb.com cnbank.com cnb-brownwood.com cnbohio.com cnbsevier.com cnbt.com cnbtexas.com cnbthebank.com cnbtopekahttp cnb-waco.com cnbwax.com coastalbanc.com coastalfederal.com coconutgrovebank.com cogeba.ch colonialbank.com coloradosbank.com colpatria.com.co columbank.com columbiabank.com columbianbank.com combanc.com comdirect.de comerica.com commark.com commbank.com.au commbankna.com commbanksofco.com commercebank.com commercialbank.com commerzbank.de commonwealthbank.com communitybank.com communitybankofnaples.com communitynational.com compassbank.com compassweb.com conavi.com consumersbank.com coop-bank.com coopcb.com co-operativebank.co.uk copiahbank.com corpbank.com corusbank.com countrybank.com countryclubbank.com countybank.com countynationalbank.com covefi.fr cpbank.com cpbi.com cpr.fr cracantu.it crbna.com crciv.it credit-agricole.fr creditandorra.ad credit-du-nord.fr creditlyonnais.com creditlyonnais.fr creditlyonnais.lu creditmutuel.fr credit-suisse.com crestmark.com creval.it crosscounty.com crossplainsbank.com crownbank.com crup.it csb-bk.com csbchx.com csbiowa.com csbonline.com csbtx.com ctbnk.com cybercmn.com danskebank.dk danverssavings.com dcbt.com deanbank.com deforestbank.com delawarenational.com dellsbank.com depfa-bank.de deutsche-bank.de deutsche-bank-bauspar.de dewittbank.com dexia.com dexia-bil.lu dg-diskontbank.de dghyp.de digitalinsight.com dime.com dimewill.com dit.de dnb.no dnb4you.com dollarbank.com douglascountyonline.com downeysavings.com drydenbank.com dslbank.de dubuquebank.com dzbank.de eaglenational.com easternbank.com easternsavingsbank.com eastoncoop.com easybank.at ebankinter.com ebankperry.net ebanregio.com ebsb.com ebtc.com edsb.com effektenbank.de efirstbank.com efsb.com egnatiasite.egnatiabank.gr elginfc.com elmirabank.com emlakbank.com.tr empirebank.com emporiki.gr enbpb.com englewoodbank.com enterprisebank.com entrium.de -epargne.fr equitybank.com es.ksk.de essabank.com eurobank.gr eurocardmastercard.tm.fr exchangebank.com exchangebk.com exim.com.my exim.gov eyp.ee fabtexas.com factorypoint.com fairfieldcountysavings.com fairfieldfederal.com falkenbergs-sparb.se fallbrooknationalbank.com falmouthbank.com farmcreditbank.com farmerssavings.com farmersstate.com farmersstatebank.com farmerstatebank.com farmerstrust.com farmnatldan.com fbalaska.com fbr.com fbtet.com fbtmagnolia.com fcbanktn.com fcbcf.com fcb-hsv.com fcbinc.com fcbmilton.com fcbohio.com fcbrgv.com fcbsc.com fcfbank.com fcnb.com fcsb.com fctc.com federal-bank.com ffb.com ffbnk.com ffpahomebankingonline.com fhb.com fhlb.com fhlbc.com fhlbdm.com fhnb.com fibanc.es fibank.com fibtlink.com fidelitybank.com fidelitybk.com fidelitytopeka.com finnat.it firstambank.com firstbankers.com firstbankingctr.com firstbank-la.com firstbankrichmond.com firstbanktexas.com firstcapitalbank.com firstcbt.com firstcentralbank.com firstcharter.com firstcitizens.com firstcitizensnb.com firstcitizensww.com firstcitybank.com firstclassbanking.com firstcommercebank.com firstcommunitybank.com firstcounty.com firstessex.com firstfd.com firstfedamerica.portalvault.com firstfedbankkc.com firstfederal.com firstfederalbank.com firstfed-neib.com firstindiana.com firstinterstatebank.com firstkeystone.com firstmd.com firstmerchants.com firstmerit.com firstmetro.com firstmidwest.com firstmountainhome.com firstnational.com firstnatlbank.com firstnatlsc.com firstnavybank.com firstnb.com firstokmulgee.com firstsavings.com firstsb.com firstscotia.com firstsecuritybk.com firstshorefed.com firststarbank.com firststatebanknd.com firsttennessee.com firstunited.net firstusa.com firstvirginia.com fjsb.com fkb.ch flagstar.com flatbush.com fleet.com fmbancorp.com f-mbank.com fmbankia.com fmbanks.com fmbbank.com fmbsc.com fmbstclair.com fmbt.com fmmarinette.com fmsb.com fmtulsa.com f-n-b.com fnbabilene.com fnbada.com fnbaltus.com fnbanksc.com fnbanksuffield.com fnbanson.com fnbb.com fnbbank.com fnbbh.com fnbbwk.com fnb-columbia.com fnbdurango.com fnbdurant.com fnbeo.com fnb-fl.com fnbfs.com fnbgaylord.com fnb-hampton.com fnb-hartford.com fnbimk.com fnbk.com fnbl.com fnbmd.com fnbmwc.com fnbn.com fnbnc.com fnbnd.com fnbneg.com fnbnet.com fnbnet.net fnb-nny.com fnboa.com fnbolathe.com fnboneida.com fnbop.com fnbpipe.com fnbportlavaca.com fnbraymond.com fnbrf.com fnb-rochelle.com fnb-scottsboro.com fnbsf.com fnb-sf.com fnbsj.com fnbt.com fnbtc.com fnbtexas.com fnbtrenton.com fnbwalker.com fnbwaterloo.com fnbwaverly.com fnbwynne.com fnbwyo.com fncb.com foehrerbank.de fokus.no foreningssparbanken.se fortisbank.com fortisbank.lu fortressbanks.com franklinbank.com fraspa1822.de frbsf.org fremontbank.com friba.nl friuladria.it frostbank.com frs-l.com fsbanknet.com fsbct.com fsb-hotchkiss.com fsbme.com fsbmendota.com fsbnh.com fsbrosemount.com fsnb.com ftbni.com fultonbank.com fvnb.com garantibank.com.tr gatewaybank.com gc4bank.com geddesfederal.com generalbank.com genoba-meckenbeuren.rwg.de geobank.com gkb.de glacierbank.com glsb.com goldensecurity.com goleta.com goodhuebank.com grandbank.com granitebank.com greenfieldsavings.com greenwoodsstatebank.com grsb.com grupobbva.com gruposantander.es grznord.de gsbank.com guernseybank.com guh.de gulfbank.com habibbank.com hagerstowntrust.com halifax.co.uk hamburglb.de handelsbanken.se hansa.ee hansa.lt happybank.com hardterraiffeisenbank.de harrisbank.com hastingscitybank.com haverhillbank.com hblsbank.com hcsb.com hcsbank.com hdb.co.uk heartlandbank.com heartland-bank.com heidenheimer-voba.de heimstatt.de helenanational.com hellenicbank.com heller-bank.de heritagebankna.com heritagecommunitybank.com heritagecoop.com heritagenationalbank.com hiawatha-nb.com hiberniabank.com highpointbank.com hillsbank.com hnbank.com homebank.nbg.gr homefed.com homefederal.com homefederalbank.com homefederalsavings.com homenational.com home-savings.com homestatebank.com homewoodfsb.com hsbc.com hsbc.com.tr humboldtbank.com huntington.com hydeparkbank.com hypo-alpe-adria.com hypotirol.com hypovereinsbank.de iba.com.hk ibankunited.com ibercaja.es ibsc.org ibtco.com icicibank.com ieb.hu ifsb.com ikb.de ilcommunitybank.com iltuomutuo.it imperialthrift.com inatbank.com inbursa.com.mx ing.be ingbank.nl inlineaweb.bpm.it interamericanbank.cc interbank.com.pe intercreditbank.com interstatebank.com intrustbank.com investmentsb.com iowabankers.com ippa.lu ipswichcoopbank.com ironbank.com isbank.is isdb.org istrobanka.sk it.ca-indosuez.com itau.com.br iwaccu.com jacksoncountybank.com jcbank.com jeffbank.com jefferson-bank.com jeffersonstatebank.com johnsonbank.com jpbank.se jpmorgan.com juliusbaer.com jyske-bank.dk kansasstatebank.com kawvalleybank.com kc.frb.org kearneycommbank.com kenwoodsavings.com keokuksavingsbank.com keybank.com keystonesavingsbank.com kfb.co.kr kredytbank.com.pl ksk-alzey.de kskbb.de ksk-fds.de kskkusel.de ksk-steinfurt.de kskwd.de kvinnherad-sparebank.no labank.com lakeareabank.com lakesstatebank.com lanb.com landesgirokasse.de lasallebank.com laurentianbank.ca lavalsabbina.it lb.lt lbb.de lb-kiel.de lbtbank.com lbtc.com lechbank.com lefil.com legacy-banks.com lhb.de liberty-bank.com libertysavings.com libertystatebank.com lincolnbanknc.com litimpeks.lt llb.li lloydstsb.com lnb.com lombard.co.uk longviewbank.com lrp.de lsbank.com ls-bank.com lsbbancshares.com lvfb.com lyndonbank.com maconbank.com madbrad.com madisonbank.com madison-bank.com maffei.de mainlandbank.com mandatum.fi mandtbank.com manubank.com marblebank.com marshallsavings.com mascomabank.com mazobank.com mbczh.ch mbfinancial.com mbtc.com mdbank.com mdmfinancialgroup.com mechanicsbank.com mechanicssavings.com megabank.com mercantile.net mercersavings.com merchantsandfarmers.com merchantsbankca.com merchantsbankvt.com merchantsbk.com merkur-bank.de metbank.com metrobank.com metrobanker.com metway.com.au mfbank.com mfbonline.com mfsbank.com mhbank.com mibank.com michigannational.com midfirst.com midsouthbank.com midstatebank.com midvalleybank.com midwestbank.com midwisc.com milfordbank.com millingtonsb.com mkb.hu mmbank.com mohavestbank.com monitorbank.com mononabank.com monsonsavings.com montecito.com moodybank.com mps.it msbank.com msbbank.com msbonline.com msnb.com murphywall.com myfamilybusiness.com myperrybank.com nantucketbank.com naspa.de national.com.au nationalbank.co.nz nationalbanken.dk nationalcity.com natlbank.com natpennbank.com natwest.com nbbank.com nbcal.com nbcbank.com nbcok.com nboc.com nbs.sk nbscnj.com nbstamford.com nbtbank.com ncb.coop ncrbanks.com nedbank.co.za netbanco.cpp.pt nettbank.fellesdata.no netteller.com nhsb.com nkbm.si nordea.dk nordea.se nordlb.de nordlb.lv norisbank.de norrybank.com northern-bank.co.uk northernrock.co.uk northfederal.com northview.com northwesternbank.com northwestfederal.com novabanka.hr nsbank.com nsbbank.com ntrs.com nvbank.com nvebank.com nxbp.fr ny.frb.org obannonbank.com obb.com oberbank.at ocbc.com.sg oceanbank.com ocnb.com oeb.se oekb.co.at oekobank.de oenb.co.at ohiobank.com ohiosavings.com olb.de oldnational.com oldpoint.com omegafinancial.com onb.com onlinebank.com onlinebankservice orangesavingsbank.com osgv.de osuuspankki.fi ourbank.com oxford-bank.com ozarkbank.com ozkmtnbank.com pacbank.com paccrest.com pacecu.com pacificstatebank.com paducahbank.com paffrather.de palmettobank.com parchmanvaughan.com parex.lv parishnational.com paritate.com parkbank.com park-bank.com parknationalbank.com parkvale.com passbanca.it pastatebank.com patapscobank.com patria-finance.com patriotbank.com paynecountybank.com pbtok.com pbz.hr pcib.com pekao.com.pl peoples.com peoplesbk.com peoplesfinancial.com peoplesflorida.com peoplesonline.com peoplestrustco.com pffbank.com pfsb.com phil.frb.org pioneersb.com piscataqua.com pkobp.pl planters-bank.com plymouthsavings.com pncbank.com pobank.com pointebank.com poplodi.it popso.it postabank.hu postbank.de postbank.nl premierbank.com premiermembers.org presidential.com primebank.com priorlake.com privatbank.de providentbank.com providentbanking.com providentbankmd.com providentnj.com providentstatebank.com providian.com psbwesthope.com psk.co.at ptsbank.com qcfb.com qcsb.com qnb.com rabobank.de raiba-beilngries.de raiba-haibach.de raibaschleissheim.de raiffeisen.at ravallibank.com rbk-haag-gars.de rbos.co.uk rbs.co.at rbstpoelten.at rcbank.com redriverbank.com regionalbank.com regions.com rentenbank.de republicbank.com republicbankfl.com republictt.com reservebank.co.za rfstatebank.com rhbank.com ridgewoodbank.com rietumu.lv riggsbank.com riversidebank.com rjbank.com rlb-tirol.at rmb.co.za rmbank.com roslynsavings.com royalbank.com rrsb.com ruralerovereto.it ruston-rbl.com rvbank.de rvbfaktumdirekt.de rvb-fuerth.de salemfive.com salin.com salisbury-bank.com sampo.ee sampo.fi sandyspringbank.com sanostra sanostra.es sanpaolo.it santander.de santandersantiago.cl s-b-a.com sbbgroup.com.my sbic.co.za scb.co.th scb-bc.com scnb.com scotiabank.com scsalliancegroup.com secondnational.com secondnationalbank.com security-bank.com securitybank-decorah.com securitybk.com securitysavings.com security-state-bank.com sella.it sequoiabank.com severnbank.com shelbybank.com signalbank.com simmonsfirst.com sivb.com sjbank.com skandiabanken. skb.si slsp.sk smc.fr smn.no smw.at snbonline.com snoras.com snsbank.nl socgen.com southalabamabank.com southernbank.com southfirst.com southsidebank.com southtrust.com southwestbank.com sovereignbank.com sparda.de sparda-hh.de sparkasse- sparkasse.at sparkasse.de sparkasse.it sparnord.dk spencercountybank.com spiritbank.com ssbnet.com ssbscott.com ssbwa.com sskm.de sssb.com stadshypotek.se standardchartered.com state-bank.com statebank-dillon.com statebankviroqua.com statebnk.com statecentralbank.com statenb.com stearns-bank.com sterlingbancorp.com steubentrust.com stillmanbank.com stissing.com stjohnsbank.com stls.frb.org stockexchangebank.com stonehamco-op.com stonesav.com storebrand.no stpaulbank.com suburbanfsb.com suedwestlb.de summitbank.net superiorfederal.com susqbanc.com swbanktx.com swineford.com swiss-private-banking.com swn-online.de synergybank.com talbot-bank.com taylorbank.com tcosouth.com td.com tdcanadatrust.com teche.com tehamabank.com tempobank.com terrabank.com texasbank.com texasfirstbanks.com texbank.com the1st.com theabcbank.com thebank.com thebankandtrust.com thebankoc.com thebankofelkriver.com thebankofglenburnie.com thecommbank.com thecountybank.com thefirstnationalbank.com thefsb.com theguarantybank.com thisisyourbank.com thomastonsavingsbank.com thsbank.com tibbank.com tkb.ch tkb.lv tollandbank.com tompkinstrust.com tradersbank.com transat.tm.fr treasurybank.com trustbank.co.nz trustcompany.com trustmark.com ttnb.com turkishbank.com txbank.com txloanstar.com ubankal.com ubat.com ubs.com ubsh.com ucbbank.com ucbnd.com ucpb.com ufcu.com ulsterbank.com umb.com unbank.com unibank-usa.com unicaja.es uninatbk.com union.cz unionbankvt.com unionfedbankonline.com unionplanters.com unionstate.com uniontrust.com unitedbank.com united-bank.com unitedbank-me.com unitedbankofmichigan.com unitedbankofphiladelphia.com unitedsouthernbank.com universalbank.com university-bank.com uob.com.sg urkb.ch usbank.com ustrustboston.com valleybank.com valleynationalbank.com valleystatebank.com valmar.it valricostbk.com vb.lt vefbank.com venetobanca.it vibank.com vintagebank.com vobaloe.de -volksbank.de vontobel.ch vpbank.com vr-networld.de vub.sk wachovia.com walpolebank.com walworthbank.com wanb.com warringtonbank.com washsb.com wastbank.com watertownsavings.com watrust.com wbpr.com wcnbwooster.com webcityfed.com websterbank.com wellesleycoop.com wellsfargo.com wellsfederalbank.com wesbanco.com westamerica.com western-bank.com westernstatebank.com westpac.com.au whisperwood.com wiese.com.pe wilberbank.com wnsb.com wohnbausparen.at woodforest.com woodrow.mpls.frb.fed.us woolwich.co.uk woronoco.com wwsparbank.se wyomingbank.com wyoming-bank.com yanb.com yellowstonebank.com yesbank.com ykb.com yonkers.com yosemitebank.com zhkb.ch zionsbank.com




    Removal Instructions

    All Users:
    Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

    Alternatives
    The following EXTRA.DAT packages are available. (not required for 4270 DAT users)
    EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common Files\Network Associates\VirusScan Engine.0.xx)
    or

    SUPER EXTRA.DAT - EXTRA.DAT self installer
    Stand-alone remover (not required for updated McAfee product to detect/remove)
    Stinger has been updated to include detection for this threat.

    McAfee ThreatScan Users:
    To create and execute a task to detect W32/Bugbear.b do the following:

    Create a new Resource Discovery Task
    Edit the settings of this task
    Edit the Task Option, Host IP Range to include all desired machines to scan
    Unselect all of the Resource Discovery Options except Port Scan (TCP)
    Enter 1080 in the TCP Port Ranges field
    Execute the scan
    To view a report that shows infected machines do the following:
    After the scan has run and the event data has been collected run the Resource Discovery Report and wait for the customization dialog to appear
    On the Task/Date Selection tab select the Resource Discovery scan you created to detect W32/Bugbear.b (above)
    On the Filter Options tab select to show all machines in each subsection
    On the Display Options tab unselect everything except Display TCP Port Scan.
    Generate the report
    Machines listed without TCP Port Scan results are not vulnerable
    Machines listed with TCP Port Scan results are listening on TCP Port 1080 (they may be infected or there may be a legitimate service listening on that port).
    Sniffer Users: A Sniffer filter to detect W32/Bugbear.b@MM has been made available for Sniffer Portable 4.7.

    Additional Windows ME/XP removal considerations




    Aliases

    Bugbear.B (F-Secure), PE_BUGBEAR.B (Trend), W32.Bugbear.B@mm (Symantec), W32.Kijmo, W32.Shamur, Win32.Bugbear.B (CA)
     
Thread Status:
Not open for further replies.

Share This Page