I-Worm.Tanatos (a.k.a BugBear)
This virus rated number 1 in the October 2002 Virus Top Twenty with a 44.9% of registered incidences
Tanatos, also known as BugBear is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines.
The Tanatos worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++.
The infected messages have different Subjects, Bodies, and Attached file names.
The worm sends messages of two types (which it randomly selects).
In first case, in order to run from the infected message the worm exploits
the IFrame security breach (as a result the worm activates when a message
is being opened or previewed in vulnerable (victim) systems). In the second
case the worm does not use "breach tricks" and the attached worm copy activates
from infected email only in case a user clicks on the attached file. The
Tanatos worm got its name from the text string appearing in its code:
Project Tanatos
Installing
While installing the worm copies itself to the Windows system directory
under a random name and registers itself in the system registry auto-run
key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The worm's EXE filename depends on the C: volume name, for example:
FYOM.EXE
YOK.EXE
The worm also places a DLL file in the Windows system directory under a random name and uses this file to 'spy' on and record all keyboard input.
Spreading: Emails
To send infected messages Tanatos uses a direct connection to the
default SMTP server. Victim email addresses are gotten from the following
file types:
*.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX,
*INBOX*
The Tanatos worm searches for these files in the system and extracts
email-like strings from them.
The Subject field is selected from the following variants:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
Additionally, the message Subject can be randomly selected by "Tanatos" from a randomly selected disk file.
The message Body is randomly selected by Tanatos from a randomly selected disk file.
The attached file name is also randomly selected and it may have
a double extension, for example:
filename.XLS.SCR
Spreading: Network
Tanatos enumerates network resources shared for writing, looks for
the startup folder and copies its file to this folder (if found).
This routine has a bug and the worm also sends copies of itself to shared network printers.
Backdoor
The backdoor routine opens port 36794 where it then listens for
"master" commands (from the person or people who are controlling it). The
backdoor routine grants control over infected machines, giving those who
control Tanatos the ability to send/receive/copy/execute files, terminate
processes, send out user info. etc.
Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines.
PSW Trojan
The worm also has a trojan routine that sends user info and cached
passwords to several email addresses that are encrypted in the worm body.
Other
Tanatos also attempts to shut down a host of security programs and
antivirus measures, including many personal firewall programs and most
popular antivirus scanning engines.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
081002/011102/100904/051004
