VIRUS ALERT: Bugbear - Spreading Rapidly!! edit**now with removal tools**

[guyver01]

SARC
SOPHOS
McAfee

Name: W32/Bugbear-A
Aliases: Tanat, Tanatos
Type: Win32 worm
Date: 30 September 2002


This worm emails itself to addresses found on the local system. Possible message subject lines include the following (however, other random subject lines are also possible):

Found
150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
history screen
hotmail.
I need help about script
Interesting
Introduction
its easy
Just a reminder
Lost
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help
Report
SCAM alert
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
Your Gift
Your News Alert

The message body and attachment name vary. It is common for the attachment name to contain a double-extension (ie. .doc.pif). Outgoing messages look to make use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).


Indications Of Infection:

Port 36974 open (verify thru netstat -an)

Existence of the following files (* represents any character):

%WinDir%\System\%random filename%.EXE (50,688 bytes)
%WinDir%\System\%random filename%.DLL
%WinDir%\System\%random filename%.DLL
%WinDir%\System\%random filename%.DLL

 

[ThePresence]

Someone give this man a sticky!

 

[aphex]

Originally posted by: ThePresence
Someone give this man a sticky!

** aphexII begins to methodically st.....

Oooooo, you meant for the thread...

 

[guyver01]

Originally posted by: aphexII

Originally posted by: ThePresence
Someone give this man a sticky!

** aphexII begins to methodically st.....

Oooooo, you meant for the thread...

:Q

i do NOT want to know what you thought he meant..

 

[MercenaryForHire]

Where's the damned sticky on this?

Special notice - this will definitely fux0r campus students - all it takes is one airhead to run it, then it spreads over network shares. Oi.

- M4H

 

[yakko]

bump

 

[Kerouactivist]

This virus is poopy

 

[guyver01]

This is definitely a biggie... musta had 20 morons... er.... customers... call in tonight infected with this.

when will people learn!!

W32.Bugbear@mm is a mass-mailing worm. It can also spread through Network shares. It has backdoor capabilities.

It is written in Microsoft Visual C/C++ programming language and compressed with UPX.

UPDATE: Symantec has issued a liveupdate today, so Bugbear must be a significant threat!! Also, I just got this from McAfee Dispatch:

McAfee.com has seen a growing number of computers infected with W32/Bugbear@MM. The risk assessment has been updated to MEDIUM FOR HOME AND CORPORATE USERS.

Technical Details

Subject: variable; may well be based on an existing emails.
Text: variable; as above
Attachment: filename is variable, but always has the file size of 50688 bytes.

Virus Behaviour

The virus is a mass-mailing virus, which can propagate using the MIME-020 vulnerability. BugBear also appears to have the ability to disable or disarm AV software.

Payload

The virus appears to contain a key-logging Trojan. This potentially could be used to steal passwords and credit-card details.

 

[Muadib]

Originally posted by: yakko
bump

 

[yakko]

No sticky yet?

 

[guyver01]

http://forums.anandtech.com/messageview.cfm?catid=42&threadid=882524

i just asked for a sticky.

 

[ElFenix]

affect mozilla?

 

[MercenaryForHire]

Bump ... oh wait

Sticky good. But shouldn't this be in more places than just OT?

- M4H

 

[Anubis]

yea this should be everywhere. i think our campus is still tryin to recover from nimda. cause peopel had it last year and didnt know it and they just pluged there comp back into the network here again and its started allover again.

main i hate people who dont know how to run Anti virus software that comes free with there comps. also updating windows wouldent hurt either. i ask peopel if they have done this and they look at me like im speakin a forgin language

 

[Nitemare]

Originally posted by: TheEvil1
yea this should be everywhere. i think our campus is still tryin to recover from nimda. cause peopel had it last year and didnt know it and they just pluged there comp back into the network here again and its started allover again.

main i hate people who dont know how to run Anti virus software that comes free with there comps. also updating windows wouldent hurt either. i ask peopel if they have done this and they look at me like im speakin a forgin language

They should be written up on the first offense then fired on the second. Virus's only exist because of stupid people. The sooner they are taken cared of, removed from computers, educated or whatnot, the sooner virus's will go away.

 

[bacillus]

just off to update my virus definitions!

 

[bmacd]

Originally posted by: bacillus
just off to update my virus definitions!

-=bmacd=-

 

[ndee]

HAHA, Mandrake 9.0 here

 

[Harvey]

Thanks. In case you didn't know it, for Norton AV users, in addition to Live Update, which they say is typically updated once a week, you can pick up any intermediary updates using Intelligent Update, which d/l's an EXE file containing the very latest virus definitions.

 

[LakerGod]

Is Intelligent Updated an option in the AntiVirus program, or do you have to download it seperately?

 

Originally posted by: ndee
HAHA, Mandrake 9.0 here

i love it!

 

[mithrandir2001]

Originally posted by: OmegaNauce

Originally posted by: ndee
HAHA, Mandrake 9.0 here

i love it!

Nobody bothers Linux becuase nobody uses Linux for anything important.

I let Norton scan my drives. 99077 files. Damn, how did I accumulate so much stuff???

 

[wfbberzerker]

good thing i use dos.

 

[spyordie007]

this is why it's important to keep windows up to date...

-Spy

 

[GoingUp]

I got the bugbear virus but it didn't get picked up by the latest version of nortons.....weird.....I scanned the file and everything...?