The Worm Returns

06 Jun 2003
Virus News


A new version of the Tanatos (aka Bugbear) Internet worm has been detected Kaspersky Lab, an international data security software developer, reports the detection of a new version of the 'Tanatos' Internet worm - Tanatos b (aka Bugbear.b). The new version of this malicious program has an array of dangerous functions. Tanatos.b can infect the executable files of many programs as well as cause the leakage of confidential information. Presently, numerous incidences of infection at the hands of Tanatos.b have been registered. The Tanatos.b Internet worm spreads via e-mail as a file attachment. The e-mail message itself can have various subjects, message texts, and file attachment names. Infection occurs when the file attachment harboring the malicious code is activated, once this happens the spreading routine is begun. There are several ways to launch the hazardous file: via the IFRAME breech in the Internet Explorer security system (which starts the worm upon message opening), manually when a user opens the infected file attachment or through local area networks. When installing, Tanatos.b copies itself under random file names into the Windows registry auto-run keys, creates files in the Windows system directory as well as copies itself into the Windows directory and temp files directory. Next the worm starts its spreading routine using the built-in SMTP engine. To send itself out via e-mail, Tanatos.b looks for e-mail addresses by scanning the available drives for files with the following extensions: *.ODS, .INBOX*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX. Tanatos.b has several dangerous functions. It infects the executable files in the Windows operation system. In the list of objects infected by Tanatos.b there are executable files from many other popular programs including: Outlook Express, Internet Explorer, WinZip, the KaZaA file sharing system, ICQ and MSN Messenger. Additionally, the new version of Tanatos has the ability to function as a backdoor program, allowing the virus's creator to control infected machines and gain access to confidential information. To accomplish this, the worm opens port 1080, through which it can do the following:
  • Transfer hard drive data
  • Copy, open, and delete files
  • Inform about active applications and to close them
  • Load files from remote computers and send keyboard log reports to the virus author
  • Setup an http server
The first version of the Tanatos Internet worm was detected in September 2002. At that time Tanatos caused a huge number of infections the world over. The worm combined the functionality of an Internet worm with that of a Trojan program, making it an exceptionally dangerous program capable of leaking out confidential information. Tanatos.b is a Windows exe file with an approximate size of 72 kilobytes when packed with the UPX compression utility and additionally encoding. It is written in Microsoft Visual C++. More detailed information about the Tanatos.b network worm can be found in the Kaspersky Anti-Virus Encyclopedia by clicking Here. The defense against Tanatos.b has already been added to the Kaspersky® Anti-Virus database.