Virus Tanatos (BugBear)
Tanatos is a mass-mailing worm.
It spreads by sending emails containing attachments and by locating shared resources on network to which it can copy itself. The worm does not properly handle the network resource types and it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.
The worm exploits an IFRAME vulnerability in Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. This allows an executable attachment to run automatically, even if a user does not double-click on the attachment.
The worm adds itself to the Startup folder, and also adds an entry to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
This means that the worm will be reactivated when computer is rebooted.
It has keystroke-logging and backdoor capabilities. The worm allows remote users to connect to the infected computer. The connecting remote users may perform any actions on the infected machine: download and execute files, copy/delete files, etc.
The worm also terminates the processes of various antivirus and firewall programs. It does not terminate AnVir Virus Destroyer.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
