Aliases

Email-Worm.Win32.Tanatos.a (Kaspersky Lab) is also known as: I-Worm.Tanatos.a (Kaspersky Lab), W32/Bugbear.b.dll.gen (McAfee),   Keylogger.Trojan (Symantec),   Win32.HLLM.Bugbear.2 (Doctor Web),   W32/Bugbear-B (Sophos),   TrojanSpy:Win32/Bugbear.B (RAV),   Worm/BugBear.B.dll (H+BEDV),   W32/Keylog (FRISK),   I-Worm/Bugbear (Grisoft),   Trojan.KeyLogger.BugBear.B (SOFTWIN),   Trojan.PWS.Hooker (ClamAV),   Trj/PSW.Bugbear.B (Panda),   Win32/Bugbear.B (Eset)

Description added	Jun 05 2003
Behavior	Email Worm

Technical details

Tanatos.a, also known as BugBear.a is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines.

The Tanatos worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++.

The infected messages have different Subjects, Bodies, and Attached file names.

The worm sends messages of two types (which it randomly selects). In first case, in order to run from the infected message the worm exploits the IFrame security breach (as a result the worm activates when a message is being opened or previewed in vulnerable (victim) systems). In the second case the worm does not use "breach tricks" and the attached worm copy activates from infected email only in case a user clicks on the attached file. The Tanatos worm got its name from the text string appearing in its code:

Project Tanatos

Installing
While installing the worm copies itself to the Windows system directory under a random name and registers itself in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 FYOM.EXE
 YOK.EXE

The worm also places a DLL file in the Windows system directory under a random name and uses this file to 'spy' on and record all keyboard input.

Spreading: Emails
To send infected messages Tanatos uses a direct connection to the default SMTP server. Victim email addresses are gotten from the following file types:

 *.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX,
*INBOX*

The Tanatos worm searches for these files in the system and extracts email-like strings from them.

The Subject field is selected from the following variants:

Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!

Additionally, the message Subject can be randomly selected by "Tanatos" from a randomly selected disk file.

The message Body is randomly selected by Tanatos from a randomly selected disk file.

The attached file name is also randomly selected and it may have a double extension, for example:

 filename.XLS.SCR

Spreading: Network
Tanatos enumerates network resources shared for writing, looks for the startup folder and copies its file to this folder (if found).

This routine has a bug and the worm also sends copies of itself to shared network printers.

Backdoor
The backdoor routine opens port 36794 where it then listens for "master" commands (from the person or people who are controlling it). The backdoor routine grants control over infected machines, giving those who control Tanatos the ability to send/receive/copy/execute files, terminate processes, send out user info. etc.

Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines.

PSW Trojan
The worm also has a trojan routine that sends user info and cached passwords to several email addresses that are encrypted in the worm body.

Other
Tanatos looks for the following applications and tries to terminate them: