Weekly Report on Viruses and Intrusions – Bugbear.C, Variants S and T of Netsky and Sober.F

Bugbear.C mails itself out to all the addresses it finds in the affected computer’s Outlook Address Book and in files with the following extensions: ODS, MMF, NCH, MBX, EML, TBB and DBX. The subject of the message that carries the worm includes texts that try to draw the recipient’s attention: “Payment notices”, “Just a reminder”, “Announcement”, “Please Help…”, “Report click on this!”, “SCAM alert!!!”, “Warning!”, “Your Gift” , “good news!”, etc. This e-mail also contains an attached file with a ZIP or HTM extension.

Bugbear.C installs a keylogger-type Trojan on the affected computer, stealing information from the machine and sending it to the virus author. It also ends processes belonging to security programs -including antivirus solutions for home users and corporate networks- and prevents them from running, which leaves affected computers vulnerable to attacks from other malware.

The next worms we will look at are Netsky.T and Netsky.S, two very similar variants of Netsky, which share the following characteristics:

– They spread via e-mail in a message written in English with variable subject and text lines. This message always includes an attached file with a PIF extension.
– Attempt to launch DoS (Denial of Service) attacks against several web pages, between April 14 and 23 inclusive.
– Create a mutex called SyncMutex_USUkUyUnUeUtU in order to ensure that only a copy of the worm is run simultaneously.

We will finish today’s report with Sober.F, a worm that spreads via e-mail in a message written in English or German, depending on the extension of the recipient’s mail address domain. This malicious code searches for e-mail addresses in files with several specific extensions, and sends itself out to those addresses using its own SMTP engine.