Weekly Virus Report – Rodok and Bugbear Worms

This week’s virus report focuses on two worms, Rodok, which spreads via MSN Messenger and Bugbear, which has continued to be a major source of infections in the last week.

Over the last seven days, Bugbear (W32/Bugbear) has held first place in the ranking of the most virulent malicious code compiled from data provided by Panda ActiveScan, the free, online virus scanner from Panda Software. This worm is designed to send itself as a file attached to an e-mail. As both file name and the e-mail subject and message text vary from one infection to another, this virus is particularly difficult for users to recognize.

Bugbear can open port 36794 in the affected computer, as well as paralyzing antivirus and firewall applications. In this way, Bugbear opens a backdoor which could give an attacker remote access to the computer.

W32/Bugbear is 50688 bytes in size (when the file containing the virus is UPX compressed) and is written in Visual C. It also drops a ‘dll’ file in the affected computer, which actually contains a Trojan called Trj/PSW.Bugbear. This Trojan is designed to intercept keystrokes on the computer.

The other worm we are looking at here is Rodok (W32/Rodok.A). This spreads via MSN Messenger and uses what has been dubbed ‘social engineering’, sending a message that tries to trick users into downloading a program from a website.

Rodok then tries to download two files from the Internet, which it saves to the hard disk under the names: update35784.exe and hehe2397824.exe. These files contain a backdoor Trojan, which could allow an attacker to take remote control of the affected machine.