W32/Bugbear has been the main protagonist of this week’s virus activity, followed, to a lesser extent, by two variants of W32/Opaserv.
W32/Bugbear spreads via e-mail (in a message which is very difficult to identify as its subject, contents and the name of the attached file change on each infection) and across shared network drives. This worm affects several antivirus programs and firewalls in order to leave the computer defenseless against other viruses and attacks.
Since W32/Bugbear spreads across resources shared on a network, it might flood printers by printing its binary code. The worm also takes advantage of a known Internet Explorer vulnerability, which could allow attached files to be run automatically by simply viewing messages through Outlook’s preview pane. Finally, it uses port 36794 to establish remote connections.
The other two malicious codes we will look at here are W32/Opaserv and W32/Opaserv.D, which spread across shared network drives and try to connect to a web page in order to download updates of themselves. To carry out infection, both these files create a file called SCRSVR.EXE in the Windows directory, which contains the infection code. W32/Opaserv.D also generates a file named TMP.INI in the root directory of the hard disk and enters a command in the WIN.INI file in order to run itself.
Finally, W32/Opaserv looks for network addresses as well as some random IP addresses, and makes calls to port 137. On getting a response, it spreads through port 139, copying itself to the remote computer’s C:\Windows directory.