Bugbear Virus Worm hit us
From: Bruce Speyer (bruce.speyer@medispecialty.com)
Wed, 02 Oct 2002 21:30:51 -0500
This new virus W32/Bugbear@MM hit Synopsys yesterday and caused a bunch of
grief even though we use the Enterprise version of Norton Anti-Virus with
signatures pushed out daily to all machines.
Among other things it trashed out print servers by sending binary files to
all the printers. There is a 3" stack of paper with gibberish next to the
printer closest to me.
The signatures to fix this only came out in the last 24-48 hours. My laptop
now has the 10/2/2002 version!
I strongly suggest you update your virus signatures.
LAURENCE
>List-Unsubscribe: <mailto:Securemail-off@ventuer.com>
>List-ID: <Securemail.ventuer.com>
>Reply-To: <Securemail@ventuer.com>
>Sender: <Securemail@ventuer.com>
>To: <Securemail@ventuer.com>
>Date: Wed, 02 Oct 2002 14:12:13 -0400
>Subject: Virus & Security Alert, 0 attachments. http:\\www.ventuer.com
>From: <Securemail@ventuer.com> (SecurityAlerts)
>X-Original-Message-ID: <B9C0AF3D.1DE4C%Securityalerts@ventuer.com>
>
>#######################################################
>To be removed from further security or virus notifications send an email
>to E-mail to: <Securemail-off@ventuer.com>
>#######################################################
>THIS MESSAGE IS A PUBLIC SECURITY NOTICE OFFERED BY
>VENTUER SERVICES, INC. THERE SHOULD BE NO ATTACHMENTS TO
>THIS MESSAGE.
>
>FOR MORE INFORMATION ON CURRENT VIRUS ALERTS, FIXES, AND
>INTERNET SECURITY STRATEGIES.
>CONTACT US THROUGH ANY OF THE FOLLOWING METHODS.
>
>Web page: http://WWW.VENTUER.COM
>Email : INFO@VENTUER.COM
>Phone : 1-877-VENTUER
>
>===============================================
>
>VIRUS ALERT
>
>BUGBEAR
>MASS MAILER + TROJAN + KEYSTROKE LOGGER + ? = ONE HAIRY BEAST
>
>DATE:
>September 30, 2002
>
>ABOUT THE VIRUS
>
>Discovered today, Bugbear (technically known as W32/Bugbear@MM) is a
>perfect example of today's new blended-threat worms. By leveraging
>multiple infection paths, disabling anti-virus (AV) and firewall
>software, and exploiting an Internet Explorer vulnerability, Bugbear
>greatly increases its chance of propagating in the wild. Bugbear can
>also install a backdoor and key-logger, making it one nasty worm.
>
>Bugbear's diverse ways of presenting itself make recognizing it
>troublesome. Anti-virus vendors have reported conflicting details on
>what Bugbear can look like, but they all agree that the e-mail
>Bugbear generates contains a random subject, message body, and
>attachment. McAfee lists some of the possible Subject lines in the
>Virus Characteristics
><http://vil.nai.com/vil/content/v_99728.htm#VirusChar>
>section of their advisory <http://vil.nai.com/vil/content/v_99728.htm>.
>However, Bugbear may use other random subjects as well.
>
>There's conflict over Bugbear's attachment as well. TrendMicro's
>advisory
><http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBE>AR.A>
>states that Bugbear includes either the attachment "Setup. exe" or "3
>July 2002.doc. pif", while McAfee suggests that the worm's attachment
>varies and uses either single or double extensions (e.g.,
>abcd.txt. exe). The only truly distinguishing feature in Bugbear's
>random e-mails is the size of the attachment; exactly 50,688 bytes
>(UPX) <http://upx.sourceforge.net/#overview> compressed.
>
>To further confuse its victims, Bugbear spoofs the "From" header in
>an infected e-mail so that you don't know who really sent you the
>worm. Finally, the Bugbear e-mail exploits a vulnerability
><http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit>y/bulletin/MS01-020.asp>
>in Microsoft Internet Explorer 5.01 and 5.5 found March of 2001 that
>allows the worm to auto-infect vulnerable machines immediately after
>your users open or preview infected Bugbear e-mails.
>
>Once it successfully infects a machine, Bugbear really gets busy. It
>first copies itself onto the infected machine as randomly-named .EXE
>files in the Windows System directory. The worm also makes registry
>changes, and adds itself to the Startup folder to ensure that it
>restarts upon reboot. Next, Bugbear spreads by mailing itself to any
>address it can find on your computer and by copying itself over open
>Windows network shares.
>
>Bugbear also attempts to disable many AV and firewall software
>products in hopes of avoiding detection or prevention. McAfee
>includes a full list of the applications Bugbear attempts to disable
>in the Method of Infection
><http://vil.nai.com/vil/content/v_99728.htm#MethodOfInfection>
>section of their advisory.
>
>Finally, Bugbear installs Trojan code and a keystroke logger onto an
>infected machine. The Trojan listens for connections on TCP port
>36794 and allows a remote attacker to take control of your machines.
>The keystroke logger records any key strokes your users enter, which
>may include passwords, credit cards, and other sensitive
>information. This information can be collected by Bugbear's author
>through the port 36794 Trojan connection.
>
>WHAT YOU CAN DO
>
>Depending upon the version of Internet Explorer (IE) your users run,
>this worm might execute immediately when a user opens the infected
>Bugbear e-mail. However, if you've applied the latest IE cumulative
>patch described in our Information Alert
><https://www3.watchguard.com/archive/showhtml.asp?pack�5173>,
>you are safe from the auto-execution feature of this worm.
>
>Even if you are not vulnerable to the worm's auto-execution feature,
>users might still execute the Bugbear attachment manually. We
>recommend that you warn your users not to open e-mail attachments
>they did not specifically request. Bugbear's ability to forge "From"
>headers means it could appear to come from a friend or a stranger.
>Stay particularly vigilant against ".exe" attachments.
>
>If you are using McAfee anti-virus software (like the ASaP software
>that comes with the Firebox family), McAfee has released a .dat file
>that detects Bugbear. If you use another vendor's anti-virus
>software, check for details on their latest update -- all the major
>vendors can block this worm.
>
>#######################################################
>To be removed from further security or virus notifications send an email
>to E-mail to: <Securemail-off@ventuer.com>
>#######################################################
LAURENCE C. BREVARD http://www.BrevardAndBrevard.com
CELL: (503)708-0268 or email w/o spaces: 503 708 0268@mobile.ATT.net
WORK: (503)547-6088 at SYNOPSYS 2025 NW Cornelius Pass Hillsboro, OR 97124
HOME: (503)629-0501 485 NW 170th Drive, Beaverton, OR 97006-4845
FAX: (503)629-0601, (503)430-1166 OTHER: (503)629-8856, (503)430-1122
