Select countryOslo, 1 October 2002
Norman ASA (www.norman.com), a world leader in the field of data security today warns against a fast spreading e-mail worm, W32/Bugbear.A@. The worm appears as a normal e-mail and spreads through networks and e-mails. The worm also installs a backdoor in the infected system, listening on port 36794. This backdoor functionality will give an attacker access to the infected system. In addition, the worm looks for and terminates components belonging to several antivirus and firewall programs.
This is an email worm written in Visual C and compressed using UPX to a file size of 50688 bytes.
General characteristics
Type: Worm Alias: W32/Tanat Spreading mechanism: Email, network
Email characteristics
Subject: Variable Body: Variable Attachment: Variable
Destructivity
Medium
Payload
Adds a backdoor to the infected system, anti-antivirus capabilities
Spreading mechanism
When run, the worm will install itself in the Windows system directory under a random name, and add a registry key to point to itself:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce [filename]
It will also install a randomly named backdoor component to the Windows System directory. The worm now attempts to spread via mail and network resources. It sends itself to email addresses it finds from various sources on the infected system.
The worm has a number of names and text strings that it may use to compose mails; in addition, it may reply to mails in the users inbox and reuse text from there. When spreading over network shares, it looks for startup directories on remote machines, and copies itself there.
Norman Virus Control with definitions files from September 30th or later detects this worm. Users are encouraged to update their Norman Virus Control protection to the most recent version.
For detailed Information about this threat visit: www.norman.com
For further information, please contact
Norman ASA, VP Marketing Bjørn A. Windfeldt, tel.+47 67 10 97 76, mob. +47 41 53 97 76