Date: Thu, 3 Oct 2002 02:00:10 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Bugbear Worm Virus Alert ------------------------- VIRUS ALERT: BUGBEAR WORM ------------------------- On September 30th a new virus called the "Bugbear Worm" began spreading very rapidly across the Internet. It is also known as the "Tanatos Worm", and by a variety of other names that contain either "Bugbear" or "Tanatos". We have already seen a number of Bugbear-infected e-mails here at BCPL.NET. The Bugbear Worm infects Windows PCs. It does not infect Macintosh OS or UNIX computers. The Bugbear Worm has been rated as a serious threat by most of the major virus information Web sites. How Bugbear Spreads ------------------- When a PC becomes infected by Bugbear, the worm mass-mails itself to all e-mail addresses found on the infected PC. This is the primary means by which Bugbear spreads. However if the infected PC is on a network, Bugbear can infect other PCs on the network that have open network shares. Bugbear is seen primarily in the form of an e-mail file attachment. When a PC becomes infected, Bugbear compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. The e-mail carrying the infected file attachment can take many forms, so it is not easy to identify. The infected e-mail has the following characteristics: Subject: The "Subject:" line of the infected message is selected at random from a list built into the Bugbear Worm. From Address: The address on the "From:" line is almost never the address of the infected PC's owner. Sometimes it is chosen at random from the list of target addresses compiled by Bugbear. Sometimes it is a completely bogus address made up from pieces of several different addresses from the list compiled by Bugbear. Message Text: Sometimes the message text is crafted to convince the reader to open the infected file attachment. Or the message text may be empty, or it may contain random text taken from a file on the infected PC, or it may contain the complete text of an e-mail previously sent by received by the owner of the infected PC (which raises the possibility of private information being broadcast to others). File Attachment: The name of the infected file attachment is sometimes chosen at random from a list of names built into Bugbear. Sometimes it is the name of a file found in the "Documents" or "My Documents" folder on the infected PC. The filename extension can be almost anything. Sometimes there is a double extension, for example "photo.gif.exe". The file attachment size is usually between 50 K and 51 K. Sometimes more than one file attachments will accompany the message, but only one carries the infection. Sometimes the additional attachment is an e-mail message previously sent by or received by the owner of the infected PC, which raises the possibility of private information being broadcast to others. The Bugbear Worm infection is not carried by e-mail intentionally sent by the owner of the infected PC. Bugbear sends out its infected e-mail without the knowledge of the PC's owner, using mailer routines built into the worm. How Bugbear Infects A PC ------------------------ The primary cause of infection is opening an infected file attachment received via e-mail. o If the recipient of a Bugbear-infected e-mail intentionally opens the file attachment, his/her PC will become infected. o Even if the recipient does not intentionally open the attachment, Bugbear is able to exploit a bug in certain versions of Internet Explorer that causes the infected file attachment to open automatically. Outlook and Outlook Express use Internet Explorer as a "helper program" to open certain types of file attachments. Several versions of Internet Explorer have a bug that makes it possible for a certain type of e-mail file attachment to open automatically even when the "auto open" option is disabled in Outlook or Outlook Express. This "auto-open" bug has been widely publicized and Microsoft provided a patch for the affected versions of Internet Explorer, but a lot of people are still using the buggy unpatched versions of Explorer. The bug is present in Internet Explorer 5.01 (unless Service Pack 2 has been applied) and Internet Explorer 5.5. The patch is available from the Microsoft TechNet Web site at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Microsoft no longer supports versions of Internet Explorer older than 5.01 so will not say whether they are affected, but it is generally assumed that they are. If you have an older version you should upgrade to a newer version. What Bugbear Does To The Infected PC ------------------------------------ Bugbear runs automatically every time the infected PC starts up. It does four things while it is running:: o Every 30 seconds it checks for the presence of processes associated with anti-virus software and personal firewalls. If found, it stops those processes. This disables anti-virus and personal firewall protection on the infected PC. o It sends infected e-mail to all addresses found on the infected PC, as described above. o It creates a "back door" on the infected PC that allows a hacker to execute commands on the PC. These commands permit the hacker to do the following: - List files and deliver the list to the hacker. - Delete files. - Copy files. - List processes and deliver the list to the hacker. - Terminate processes. - Start processes. - Intercept keystrokes typed by the computer owner and deliver them to the hacker. This may release confidential information typed on the computer (passwords, login details, etc.). - Deliver system information to the hacker such as user name, type of processor used, Windows version, memory information, descriptions of fixed and removable drives drives, and other system information. - List network resources and their types, and deliver the list to the hacker. If the operating system is Windows 95/98/Me, the worm attempts to obtain access to the password cache on the infected PC. The cached passwords dial-up passwords, Web passwords, Windows file sharing passwords, and others. One of the commands permits the Bugbear Worm to deliver data in the form of a Web page, making it very convenient for the hacker to retrieve information from the infected PC. How To Protect Your PC From Bugbear Worm Infection -------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about Bugbear, then it will stop Bugbear before it can infect your PC. However the virus description database must be *very* new. The Bugbear Worm was discovered and described by the major anti-virus software vendors on September 30th, so a virus description database older than that will not enable your anti-virus software to detect and stop Bugbear. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o If you use Microsoft Internet Explorer and Outlook or Outlook Express make sure your copy of Explorer is a version that is not affected by the "auto-open" bug described above under "How Bugbear Infects A PC". If you have a version of Internet Explorer affected by the "auto-open bug", either apply the patch to fix the bug, or upgrade to a newer version of Explorer. o In the final analysis you are your own best defense against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. For More Information About The Bugbear Worm: ------------------------------------------- Additional information about Bugbear is available on the following Web sites: http://www.msnbc.com/news/815117.asp?0dm=C218T http://zdnet.com.com/2100-1105-960139.html http://www.F-Secure.com/v-descs/tanatos.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=99728 http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. BCPL.NET Contact Information: see http://www.bcpl.net/contacts/