Tanatos
Tanatos
Type Multi-vector worm
Creator
Date Discovered 2002.09.30
Place of Origin
Source Language C++
Platform MS Windows
File Type(s) .exe, .pif, .scr
Infection Length 50,688 bytes
Reported Costs $3.9 billion

Tanatos also known as Bugbear is a worm that drops a backdoor/keystroke logger trojan that can allow a cracker access to many parts of the infected computer. The worm has the ability to infect a computer from the preview pane of an unpatched system. It may also send email stored on an infected system to a random email address. It also had the habit of sending information to networked printers that caused them to print nonsense.

Behavior

Tanatos can arrive on a system through email or a network. It uses a few complex methods to avoid being automatically identified as a worm when it arrives in an email attachment. The worm is even more bizarre with regard to its network transmission.

Email Transmission

Tanatos arrives onto a system in an email message that is either a reply to or forward of an existing message, and it also may arrive as a new email message with one of the following subject lines:

  • Greets!
  • Get 8 FREE issues - no risk!
  • Hi!
  • Your News Alert
  • $150 FREE Bonus!
  • Re:, Your Gift
  • New bonus in your cash account
  • Tools For Your Online Business
  • Daily Email Reminder
  • News, free shipping!
  • its easy
  • Warning!
  • SCAM alert!!!
  • Sponsors needed
  • new reading
  • CALL FOR INFORMATION!
  • 25 merchants and rising
  • Cows
  • My eBay ads
  • empty account
  • Market Update Report
  • click on this!
  • fantastic
  • wow!
  • bad news
  • Lost & Found
  • New Contests
  • Today Only
  • Get a FREE gift!
  • Membership Confirmation
  • Report
  • Please Help…
  • Stats
  • I need help about script!!!
  • Interesting…
  • Introduction
  • various
  • Announcement
  • history screen
  • Correction of errors
  • Just a reminder
  • Payment notices
  • hmm..
  • update
  • Hello!

The subject line may be constructed from a randomly selected file on the hard disk of the infected computer. The attachment name could be from a file on the computer that the worm was sent from or it could have one of the following names:

  • Readme
  • Setup
  • Card
  • Docs
  • News
  • Image
  • Images
  • Pics
  • Resume
  • Photo
  • Video
  • Music
  • Song
  • Data

Their extensions are .exe, .scr or .pif. The file name may also be taken from a file on the previously infected computer sending the worm, in which case, it will have a double extension, such as Document.txt.scr. These files can include:

  • .reg
  • .ini
  • .bat
  • .diz
  • .txt
  • .cpp
  • .html
  • .htm
  • .jpeg
  • .jpg
  • .gif
  • .cpl
  • .dll
  • .vxd
  • .sys
  • .com
  • .exe
  • .bmp

A system running Internet Explorer 5.0 or 5.5, the attachment may be run automatically from the preview pane in Outlook or Outlook Express if Explorer is unpatched.

Network Transmission

Tanatos can spread over networks through shared folders. One of its threads continually scans for any shared network resources. It attempts to copy itself as a random file name to that resource. The worm does not discriminate between types of resources, including printers. This can cause an accumulation of print jobs and paper with unintelligable gibberish.

Infection

When Tanatos runs, it copies itself to the Windows System folder as a random string of four letters with a .exe file extension. It also copies itself to the startup folder as Cuu.exe on a Windows 95, 98 or ME system or Cti.exe on a Windows 2000, XP or NT system.

It creates five encrypted files, two encrypted .dat files in the Windows folder (Okkqsa.dat and Ussiwa.dat) and three encrypted .dll files in the Windows System folder (Iccyoa.dll, Lgguqaa.dll, Roomuaa.dll). One of the files contains a password required to establish connection with the backdoor component. Another, detected as the Hooker trojan, monitors keystrokes, which are then sent back to any cracker who can usethe backdoor to access the computer. The other files are encrypted, but non-malicious files that store gathered passwords, email addresses and logged keystrokes.

It then adds a value of random letters and the worm's file name to the local machine registry key that causes the worm to run when the computer starts up.

Tanatos creates four threads. The first of these activates a payload every 30 seconds to stop these processes from running:

  • Zonealarm.exe
  • Wfindv32.exe
  • Webscanx.exe
  • Vsstat.exe
  • Vshwin32.exe
  • Vsecomr.exe
  • Vscan40.exe
  • Vettray.exe
  • Vet95.exe
  • Tds2-Nt.exe
  • Tds2-98.exe
  • Tca.exe
  • Tbscan.exe
  • Sweep95.exe
  • Sphinx.exe
  • Smc.exe
  • Serv95.exe
  • Scrscan.exe
  • Scanpm.exe
  • Scan95.exe
  • Scan32.exe
  • Safeweb.exe
  • Rescue.exe
  • Rav7win.exe
  • Rav7.exe
  • Persfw.exe
  • Pcfwallicon.exe
  • Pccwin98.exe
  • Pavw.exe
  • Pavsched.exe
  • Pavcl.exe
  • Padmin.exe
  • Outpost.exe
  • Nvc95.exe
  • Nupgrade.exe
  • Normist.exe
  • Nmain.exe
  • Nisum.exe
  • Navwnt.exe
  • Navw32.exe
  • Navnt.exe
  • Navlu32.exe
  • Navapw32.exe
  • N32scanw.exe
  • Mpftray.exe
  • Moolive.exe
  • Luall.exe
  • Lookout.exe
  • Lockdown2000.exe
  • Jedi.exe
  • Iomon98.exe
  • Iface.exe
  • Icsuppnt.exe
  • Icsupp95.exe
  • Icmon.exe
  • Icloadnt.exe
  • Icload95.exe
  • Ibmavsp.exe
  • Ibmasn.exe
  • Iamserv.exe
  • Iamapp.exe
  • Frw.exe
  • Fprot.exe
  • Fp-Win.exe
  • Findviru.exe
  • F-Stopw.exe
  • F-Prot95.exe
  • F-Prot.exe
  • F-Agnt95.exe
  • Espwatch.exe
  • Esafe.exe
  • Ecengine.exe
  • Dvp95_0.exe
  • Dvp95.exe
  • Cleaner3.exe
  • Cleaner.exe
  • Claw95cf.exe
  • Claw95.exe
  • Cfinet32.exe
  • Cfinet.exe
  • Cfiaudit.exe
  • Cfiadmin.exe
  • Blackice.exe
  • Blackd.exe
  • Avwupd32.exe
  • Avwin95.exe
  • Avsched32.exe
  • Avpupd.exe
  • Avptc32.exe
  • Avpm.exe
  • Avpdos32.exe
  • Avpcc.exe
  • Avp32.exe
  • Avp.exe
  • Avnt.exe
  • Avkserv.exe
  • Avgctrl.exe
  • Ave32.exe
  • Avconsol.exe
  • Autodown.exe
  • Apvxdwin.exe
  • Anti-Trojan.exe
  • Ackwin32.exe
  • _Avpm.exe
  • _Avpcc.exe
  • _Avp32.exe

The second thread searches for email addresses in files with the extensions:

  • .mmf
  • .nch
  • .mbx
  • .eml
  • .tbb
  • .dbx
  • .ocs

The thread looks up the current user's email address and SMTP server from registry key that stores the address in order to prevent itself from infecting the same machine twice. Tanatos then sends itself to all found email addresses. Sometimes the worm constructs an email address from information taken from the computer for the spoofed Sender line.

Trojan Component

The keylogging .dll file records all keystrokes to the memory. When the user accesses the internet through a dial-up connection, the keystroke logs are sent to these email addresses:

  • moc.xobtsopsih|wahsm#moc.xobtsopsih|wahsm
  • ten.alag|sirhcnnam#ten.alag|sirhcnnam
  • moc.oohay|lbz_ilig#moc.oohay|lbz_ilig
  • moc.xoblaerym|ybhguolliw.c#moc.xoblaerym|ybhguolliw.c
  • ten.1lm|wohldrb#ten.1lm|wohldrb
  • moc.eticxe|9754cs#moc.eticxe|9754cs
  • moc.eticxe|nostawwj#moc.eticxe|nostawwj
  • moc.eticxe|sihcruhcevets#moc.eticxe|sihcruhcevets
  • moc.eticxe|nedabognal#moc.eticxe|nedabognal
  • moc.eticxe|85opocaj#moc.eticxe|85opocaj
  • moc.xoblaerym|rennatcs#moc.xoblaerym|rennatcs
  • moc.adanac|nellisire#moc.adanac|nellisire
  • moc.cam|25oigres#moc.cam|25oigres
  • moc.erviuseriaf|6372ervr#moc.erviuseriaf|6372ervr
  • moc.oohay|q673rz#moc.oohay|q673rz
  • ti.liame|655534t#ti.liame|655534t
  • sa.emllac|fsfdsds#sa.emllac|fsfdsds
  • moc.hcaet|llihxob#moc.hcaet|llihxob
  • rk.ep.nigol|ylkcits#rk.ep.nigol|ylkcits
  • gro.seigga|euqiv#gro.seigga|euqiv
  • moc.tnareg.liam|1002ms#moc.tnareg.liam|1002ms
  • moc.liamgnis|nosliwr#moc.liamgnis|nosliwr

The worm also opens port 36794 and listens for commands from a remote machine. This allows a cracker to retrieve cached passwords in an encrypted form, download and execute a file, find files, delete files, execute files, copy files, write to files, list processes, terminate processes, Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), drive information (types of local drives available, amount of space available on these drives, etc).

Name

Tanatos gets its name from the text string found in the original variant, "Project Tanatos". Tanatos may be a reference to the ancient Greek demon of death, Thanatos (original Greek: &# 920;άνατος). In some languages without the "th" sound, this demon's name is spelled Tanatos.

Its more common name, Bugbear, was originally the name of a legendary monster used to frighten disobedient children, similar to a boogeyman. It has been used as a term for scarecrow. The word has also been used for several other things (usually some form of wild creature) that appear in Harry Potter, Dungeons and Dragons and Final Fantasy as well as several other places.

Antivirus Alias

  • Avira: Worm/BugBear.B.dll
  • ClamAV: Trojan.PWS.Hooker
  • Doctor Web: Win32.HLLM.Bugbear.2
  • Eset: Win32/Bugbear.B
  • F-Prot: W32/Keylog
  • Grisoft: I-Worm/Bugbear
  • Kaspersky Lab: Email-Worm.Win32.Tanatos.a or I-Worm.Tanatos.a
  • McAfee: W32/Bugbear.b.dll.gen
  • Panda: Trj/PSW.Bugbear.B
  • RAV: TrojanSpy:Win32/Bugbear.B
  • Bitdefender: Trojan.KeyLogger.BugBear.B
  • Sophos: W32/Bugbear-B
  • Symantec: W32.Bugbear@mm

Other Facts

Tanatos initially failed to chart, being beaten out by variants of Klez, Yaha, and a few others (Loveletter was still high on the virus/worm charts at the time). By Halloween (October 31) though, Tanatos had overtaken Klez.H as the most common worm. Klez later overtook Tanatos again in 2003 February.

Tanatos was at first said to have originated in Malaysia according to MessageLabs and the Straits Times. Malaysian authorities said that the first reports of the worm were in fact from Malaysia, but there was no confirmation that the worm was in fact created and released originally in Malaysia.

Sources

Michelle Delio. Tech-notes 108, "It's a Bug, a Bear and a Worm". (PDF)

Yana Liu, Serghei Sevcenco. Symantec.com "W32.Tanatos@mm".

Trend Micro, "WORM_Tanatos.A".

Kaspersky Lab. Virus List, Email-Worm.Win32.Tanatos.a.

John Leyden. The Register, Klez-H enjoying its final days on infamy? 2002.10.02

-.-, Worms turn on Win/Linux users 2002.10.07

-.-, Klez-H tops monthly virus charts. Again. 2003.02.28

The Age, No proof Bugbear originated in Malaysia. 2002.10.09

Dr. Sureswaran Ramadass, Dr. Rahmat Budiarto, Mr. Ahmad Manasrah, Mr. M. F. Pasha. jEnterprise Suite For Network Monitoring and Security. (PowerPoint)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License