Aliases: I-Worm.BabyBear, W32/BabyBear-A
Variants: [email protected], Bloodhound.W32.VBWORM

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Jul 2003
Damage: Low

Characteristics: The W32.BabyBear.int malware is a mass mailing worm. Upon execution of this worm, it can display a fake but official looking message with the title "Microsoft Windows Update". This security risk was written using Microsoft’s programming language VB (Visual Basic), which means this worm needs the VB runtime libraries for its successful execution.

More details about W32.Babybear.int

The W32.Babybear.int is a worm that sends itself to all the entries saved in the address book. It arrives through the victim's email with one of the following combinations of subjects and message texts: "Subject lines: Please Confirm and File You Requested" "Message texts: Dear Sir or Madame, We have detected that you have placed an Order for Msn8. Before we start your Service please confirm your order. To confirm your order please check the attachement. Thanks, Microsoft Corporation Support and Hey Here is the file you wanted. The attachment filename will depend on what file name the worm had when it was executed." The W32.Babybear.int worm also displays a message box with the fake error message: "Application Error! Missing .Dll File" and displays a picture with references to the Bugbear worm."

The worm W32.Babybear.int will append certain values in the registry key folders of the compromised system. This worm will also try to remove following files: *.dat, *.inf, *.dll, *.sys, *.exp, *.cat, *.txt and *.vxd from the folder C:\ Program Files\ Common Files\ Symantec Shared\ VirusDefs\ 20020227.005 and the file *.dat from the folder C:\ Program Files\ Common Files\ Symantec Shared\ VirusDefs\. The W32.BabyBear.int worm will also display a fake message that supposedly came from Microsoft. The message says “Microsoft has just released a patch for all Windows Computers. A security risk has been found in Windows that Viruses, Trojans, or Worms can take advantage of. This patch is urgent. If the problem is not patched then your windows computer could be a security risk! Do you want to Apply Microsoft Patch 0203 Now?”. When users click on the ‘Close’ option, the worm will once again display a fake pop-up message that says: “Closeing this Message means you will not download the patch. Are you sure you want to cancel downloading the patch?”. The worm will then try to delete the files *.dat, *.inf, *.dll, *.sys, *.exp, *.cat, *.txt and *.vxd this time from the C:\ Windows folder. When users click on the ‘Continue’ option, a pop-up message will appear saying “The Microsoft Patch has already been downloaded Automatically by Microsoft Windows Update Manager. Now, you need to install it. To install the Microsoft Patch Please Click Continue Below”. When users click on the ‘Continue’ option, the W32.BabyBear.int worm will display a pop-up message showing the status of the supposed patch’s installation.