I-Worm.Tanatos.b (aka Bugbear.b)
Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos
Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file
Tanatos also creates the following file in the Windows directory:
%rnd name%.dat - its internal data file
and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy
Spreading
To send infected messages the worm uses a built-in SMTP engine. The worm searches for victim emails in following files on the available disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX
The infected messages have different Subject, Body, and File Attachment names that are selected from many variants:
Subject:
The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe".
2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data
The file name extension is also randomly selected from the same variants:
".scr", ".pif", ".exe".
3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files
and uses their full
names as the %filename% for the infected attachment. In this case
they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif
4. "setup.exe"
The infected emails randomly have the IFrame security breach that runs
upon the opening the an
infected email. In the rest of the messages the worm activates only when
a user clicks on the
attached file.
Infecting EXE files
While infecting a file the worm writes itself to the end of the file. The worm's copy is "incorporated" into the victim machine's file structure as a "standard" .EXE file in the "Program Files" directory. Copy names include:
winzip\winzip32.exe
kazaa\kazaa.exe
ICQ\Icq.exe
DAP\DAP.exe
Winamp\winamp.exe
AIM95\aim.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
Trillian\Trillian.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
StreamCast\Morpheus\Morpheus.exe
QuickTime\QuickTimePlayer.exe
WS_FTP\WS_FTP95.exe
MSN Messenger\msnmsgr.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
CuteFTP\cutftp32.exe
Far\Far.exe
Outlook Express\msimn.exe
Real\RealPlayer\realplay.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
adobe\acrobat 5.0\reader\acrord32.exe
Internet Explorer\iexplore.exe
in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe
Infecting - networks
The Tanatos.b worm accounts for all network resources, then copies itself to available resource (drives) startup folders using random .EXE names or the name, "setup.exe". The worm also looks for "standard" .EXE files (the same list as above) on shared resource drives, and infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports active applications
- terminates requested application
- runs local file by master's request
- receives a file from master and runs it
- logs keyboard and sends it to master
- opens HTTP server
Other
Tanatos.b terminates active debuggers, anti-virus and firewall processes:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
LOCKDOWN2000.EXE
The Tanatos.b worm also gets cached passwords
and sends them to its "master".
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
260603/100904
