Bugbear/Tanatos E-mail Worm Detected

A mass-mailing worm targeting Windows sytems that has keylogging and backdoor capabilities is squirming in the wild and software security experts are warning that it actively turns off anti-virus programs before spreading.

by Ryan Naraine of internetnews.com [October 2, 2002]

According to a very detailed advisory from F-Secure, the Bugbear/Tanatos worm copies itself to Windows System directory with a random name (JFMV.EXE for example) and adds a startup key to the Registry.

F-Secure said the worm also drops a keylogging component as a DLL file with a randomly-generated name (ZLQPUPP.DLL for example) to the Windows System folder. It also creates two more DLL files and stores some encrypted data there and creates two randomly named DAT files in root Windows folder too.

When run, the Bugbear/Tanatos worm's messages can contain an iFrame exploit that allows it to run automatically on some computers when an infected e-mail is viewed. Microsoft has fixed that bug and issued a patch on its website.

F-Secure, which provides anti-virus, file encryption, and network security software for the enterprise market, said the worm spreads in e-mail messages as an attachment with randomly-generated names and with one or more extensions.

"Subjects and bodies of infected e-mails are also different. The mass-mailing routine is quite complex," the company said, noting that it is enough to delete all the worm's files from an infected hard drive and restart the system..

"If the worm is in a network environment, the network should be temporarily taken down and all systems have to be disinfected separately. Otherwise the worm will try to re-infect already cleaned systems," F-Secure warned.

After an infected system is cleaned, the company recommends all logins and passwords be changed as they could have been compromised by the password stealer component of the worm.

"It is also recommended to check infected systems and networks for possible hacker intrusion that could have been performed through the backdoor component of the worm," F-Secure added.

The company said Bugbear/Tanatos continuously looks for and terminates processes by listening to port 36794 and can provide access to an infected system and the network it is connected to via an internal backdoor component.

The Bugbear/Tanatos worm, first detected on Monday September 30, also has local network spreading capabilities. It enumerates network resources and tries to locate the \Start Menu\Programs\Startup\ folder on remote systems. If that path is found, the worm copies itself there with a random name. When a remote system is restarted, the worm's file gets control and infects a system, F-Secure warned.

"The backdoor component allows an attacker to access an infected system through a web-based interface. The worm generates HTML pages on-the-fly when an attacker browses directories on an infected remote computer," the company warned, adding that the worm allows an attacker to get information about an infected system: operating system, processor type, and fixed and network drives.

"The worm has password stealing capabilities. It installs a keylogging component to a system, records keystrokes and saves them into a file. Then the worm sends this file to a few e-mail addresses that are stored in encrypted for in the worm's body. The SMTP server names that the worm uses to send the files are also stored in encrypted form in the worm's body," F-Secure added.

— End