Anti-Virus | AntiBugBear Removal Tool
Date: 04/27/2004 11:46 AM
Size: 60 KB
Requires: Win All
Downloads: 31100 times
TIP: Click here to repair/restore missing Windows OS files
Report a Bad Link
When first executed, the worm drops a copy of itself to the %system% folder (using a random file name) and registers this file to be executed at every system startup (using the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key), then modifies the key "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial" so that the default internet connection will be automatically dialed.
Then the worm drops three files in the %system32% folder; one of them is the keyboard hook DLL (detected as Trojan.Keylogger.Bugbear.B) and the other two are used to collect informations about the computer.
The worm includes anti-antivirus techniques; it attempts to terminate several anti-virus and firewall software products, by means of the TerminateProcess API. The processes are enumerated differently for the two major Win32 platforms (using toolhelp32 functions when supported, otherwise the psapi functions).
MGID NEWS FEED: