hackfix-virusnews: Bugbear worm spreading rapidly

• From: "Christy" <snowz@xxxxxxxxxx>
• To: hackfix-virusnews@xxxxxxxxxxxxx
• Date: Thu, 03 Oct 2002 18:35:37 -0400

As posted earlier on our Help list, Mike overlooked
submitting it here as well,  our apologies for an
apparent delay in posting for those that might be
readers of both lists.
~~~

Bugbear worm spreading rapidly 
October 3, 2002 
http://www.pcflank.com/news031002.htm

Bugbear is the latest mass-mailing worm to target
Windows users. It is spreading quickly around the
world since it first appeared on Monday, according to
alerts issued by antivirus companies and computer
security experts. The worm was first detected in
Malaysia. 

The Bugbear virus infects computers running the
Windows operating system and an unpatched version of
Internet Explorer 5.5. 

A flaw in MIME (the multipurpose Internet mail
extensions) lets a malicious program attached to an
e-mail message execute when the text of the message
appears in Outlook. Microsoft has issued a fix almost
18 months ago, but some users apparently have not
updated their computers. 

The virus comes as an e-mail attachment with a
variety of subject lines including "bad news,"
"Membership Confirmation," "Market Update Report,"
and "Your Gift." 

The worm copies itself into the Windows system
directory and start-up folder as a .exe file with a
random three letter name. 

Once installed it attempts to disable any anti-virus
software and firewalls that might be in place and
installs a Trojan keystroke logger as a DLL, detected
as PWS-Hooker.dll. 

That Trojan captures information such as passwords
and credit card details from a victim's computer, and
sends them back to the original virus writer via the
TCP port 36794. 

Finally, Bugbear opens a backdoor to the machines
that it infects. Using a Web browser, the virus
author or malicious hackers can access a Web
interface created by the virus, browse local files on
an infected machine and execute programs on that
machine. 

Furthermore the virus also contains a bug that means
it attempts to copy itself to printers on a victim's
network, resulting in some victims reporting printers
churning out pages of unreadable code. 

To avoid infection, Windows users should apply the
Microsoft patch, update their antivirus software and
do not open an attachment unless the sender confirms
he or she sent it. 

From: PC Flank.com

Resources;

>From F-Secure.   Oct. 2, 2002

Bugbear e-mail worm spreading at an alarming rate
W32/Bugbear-A  ~ Aliases: Tanat, Tanatos
F-Secure raising alert to highest level  (4) as
Bugbear becoming the
most widespread virus currently in circulation

~~~

>From  "CENTRALCOMMAND.COM  Vexira Antivirus" 
Full virus description can be read at:
<http://support.centralcommand.com/cgi-bin/command.cfg
/php/enduser/std_adp.php?p_refno=020930-000024>
~~~

Global Bugbear Information Center
http://www.F-Secure.com/bugbear/ 
A detailed technical description of the worm as well
as screenshots are available here.
~~~

More details covering the Tanatos Internet worm are
now available
in the Kaspersky Virus Encyclopedia at:
http://www.viruslist.com/eng/viruslist.html?id=52245
~~~

Symantec has provided a tool to remove infections of
W32.Bugbear@mm.
If your computer is detected as infected with
W32.Bugbear@mm, then download and run the tool. In
most case, to tool can remove the infection. To
download the W32.Bugbear removal tool, visit the
following Internet address:

<http://securityresponse.symantec.com/avcenter/venc/da
ta/w32.bugbear@xxxxxxxx
al.tool.html>
~~~
BUGBEAR WORM: INFORMATION, PROTECTION AND
DISINFECTION TOOL
Sophos has been protecting against the wide-spreading
Bugbear worm since Monday. Ensure you are up-to-date
with your protection and read more about how to
ensure your systems remain virus-free.

http://www.sophos.com/enews.cgi?=/support/bugbear.html

~~~~

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www.mwn.ca/
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscrib
e>
See my Anti-Virus pages ~
http://virusinfo.hackfix.org 
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>



~*~*~*~*~
To unsubscribe from our list send an email 
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfix-virusnews" without the quotes.
~*~*~*~*~

Other related posts:

• » hackfix-virusnews: Bugbear worm spreading rapidly

1. Home
2. hackfix-virusnews
3. Archive
4. 10-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---