Virus.Win32.TeddyBear

Class Virus
Platform Win32
Description

Technical Details

This is a parasitic Windows virus with backdoor ability. When an
infected file is run, the virus-installing routine takes control, creates
the DLLMGR.EXE file in the Windows system directory and spawns it. The
DLLMGR.EXE file is a pure virus code, it stays in the Windows memory as a hidden
application and registers its file (DLLMGR.EXE) in the system registry in
the auto-run section (this will cause Windows to load and run this file upon each
startup):

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  Teddybear = "xxxxDLLMGR.EXE"

where “xxxx” is the name of the Windows system directory.

The virus then stays in Windows memory and its “backdoor” routine gains
control. This routine opens the connection and waits for commands from
remote host, gets/sends files from/to there, etc. The virus is also able
to execute files that are sent by a host (including a virus update). Moreover,
the virus code in the DLLMGR.EXE file (dropped to the system by the infected
file) has no infection code in it. The infecting routine is downloaded from
the host and executed. So, the infection and other virus routines are
stand-alone executable files, and they can be easily updated by the virus’
author. Very similar technology was used for the first time in the
Win95_Babylonia Windows virus.

The known virus version and components are compatible with Win9x only, and do
not work under WinNT. They also have bugs that stop the virus from spreading in some
cases. Despite this, new bugs-free and NT-compatible components may be
released by virus author.