New worm pretends to be a BugBear antidote
Romanian company SOFTWIN, a developer of BitDefender line of Anti Virus products, warns of a new worm that is trying to mask itself as an antidote to the infamous BugBear. The worm comes as an attached zip file in an e-mail message with this characteristics:
From: Alerta_RaPida boletin@viralert.net
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
Attachment: protect.zip
When the user starts the attached protect.exe, the following message will be shown:
Screenshot courtesy of BitDefender.com
If the OK button is pressed, the vorm renames the original regedit.exe file to m_regedit.exe and copies itself as regedit.exe. Also a key with a full path to protect.exe is added to:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunXRF
Disguising itself as regedit.exe, when the user will try to run regedit.exe it will delete the above registry key (so the user cannot detect it by looking to that registry key) and when the program is closed it will write back the registry value.
The worm also reads information about the Internet Settings and steals e-mail addresses from Windows Address Book. BitDefender researchers noted that the following files are created in the System directory: PrTecTor.exe (the worm), m_prgrm.zip (attachment for the infected emails), m_Base64.xrf (attachment encoded in Base64 format) and m_WAB.xrf (list of e-mail addresses).