W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

W32/Bugbear-A is a network-aware worm. W32/Bugbear-A spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself.

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft
Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

If the worm activates, several new files will appear on your computer. Their names consist of letters of the alphabet randomly chosen by the worm. You will find:

xxx.EXE (usually 50688 bytes) in the Startup folder

yyyy.EXE (usually 50688 bytes) in the System folder

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The two EXE files are executable copies of the worm. The DLL is a keystroke logging tool which is used by the worm when it is activated. This means that it logs what you type, and allows passwords and credit card numbers to be recorded.

The worm not only adds itself to the Startup folder, but also adds an entry to the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This means that the worm will be reactivated when your computer is rebooted.

It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22.

AKA: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure]

Type: Worm

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Systems Not Affected: Macintosh, UNIX, Linux

**SOPHOS (http://www.sophos.com/virusinfo/analyses/w32bugbeara.html)