As posted earlier on our Help list, Mike overlooked submitting it here as well, our apologies for an apparent delay in posting for those that might be readers of both lists. ~~~ Bugbear worm spreading rapidly October 3, 2002 http://www.pcflank.com/news031002.htm Bugbear is the latest mass-mailing worm to target Windows users. It is spreading quickly around the world since it first appeared on Monday, according to alerts issued by antivirus companies and computer security experts. The worm was first detected in Malaysia. The Bugbear virus infects computers running the Windows operating system and an unpatched version of Internet Explorer 5.5. A flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an e-mail message execute when the text of the message appears in Outlook. Microsoft has issued a fix almost 18 months ago, but some users apparently have not updated their computers. The virus comes as an e-mail attachment with a variety of subject lines including "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift." The worm copies itself into the Windows system directory and start-up folder as a .exe file with a random three letter name. Once installed it attempts to disable any anti-virus software and firewalls that might be in place and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll. That Trojan captures information such as passwords and credit card details from a victim's computer, and sends them back to the original virus writer via the TCP port 36794. Finally, Bugbear opens a backdoor to the machines that it infects. Using a Web browser, the virus author or malicious hackers can access a Web interface created by the virus, browse local files on an infected machine and execute programs on that machine. Furthermore the virus also contains a bug that means it attempts to copy itself to printers on a victim's network, resulting in some victims reporting printers churning out pages of unreadable code. To avoid infection, Windows users should apply the Microsoft patch, update their antivirus software and do not open an attachment unless the sender confirms he or she sent it. From: PC Flank.com Resources; >From F-Secure. Oct. 2, 2002 Bugbear e-mail worm spreading at an alarming rate W32/Bugbear-A ~ Aliases: Tanat, Tanatos F-Secure raising alert to highest level (4) as Bugbear becoming the most widespread virus currently in circulation ~~~ >From "CENTRALCOMMAND.COM Vexira Antivirus" Full virus description can be read at: <http://support.centralcommand.com/cgi-bin/command.cfg /php/enduser/std_adp.php?p_refno=020930-000024> ~~~ Global Bugbear Information Center http://www.F-Secure.com/bugbear/ A detailed technical description of the worm as well as screenshots are available here. ~~~ More details covering the Tanatos Internet worm are now available in the Kaspersky Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=52245 ~~~ Symantec has provided a tool to remove infections of W32.Bugbear@mm. If your computer is detected as infected with W32.Bugbear@mm, then download and run the tool. In most case, to tool can remove the infection. To download the W32.Bugbear removal tool, visit the following Internet address: <http://securityresponse.symantec.com/avcenter/venc/da ta/w32.bugbear@xxxxxxxx al.tool.html> ~~~ BUGBEAR WORM: INFORMATION, PROTECTION AND DISINFECTION TOOL Sophos has been protecting against the wide-spreading Bugbear worm since Monday. Ensure you are up-to-date with your protection and read more about how to ensure your systems remain virus-free. http://www.sophos.com/enews.cgi?=/support/bugbear.html ~~~~ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www.mwn.ca/ <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscrib e> See my Anti-Virus pages ~ http://virusinfo.hackfix.org <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> ~*~*~*~*~ To unsubscribe from our list send an email to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info hackfix-virusnews" without the quotes. ~*~*~*~*~