Win32.TeddyBea
Details
Win32.TeddyBear
This is a parasitic Windows virus with backdoor ability. When an infected file is run, the virus-installing routine takes control, creates the DLLMGR.EXE file in the Windows system directory and spawns it. The DLLMGR.EXE file is a pure virus code, it stays in the Windows memory as a hidden application and registers its file (DLLMGR.EXE) in the system registry in the auto-run section (this will cause Windows to load and run this file upon each startup):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Teddybear = “xxxx\DLLMGR.EXE”
where “xxxx” is the name of the Windows system directory.
The virus then stays in Windows memory and its “backdoor” routine gains control. This routine opens the connection and waits for commands from remote host, gets/sends files from/to there, etc. The virus is also able to execute files that are sent by a host (including a virus update). Moreover, the virus code in the DLLMGR.EXE file (dropped to the system by the infected file) has no infection code in it. The infecting routine is downloaded from the host and executed. So, the infection and other virus routines are stand-alone executable files, and they can be easily updated by the virus’ author. Very similar technology was used for the first time in the Win95_Babylonia Windows virus.
The known virus version and components are compatible with Win9x only, and do not work under WinNT. They also have bugs that stop the virus from spreading in some cases. Despite this, new bugs-free and NT-compatible components may be released by virus author.
Related Posts