Date: Wed, 11 Jun 2003 09:57:04 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: *** URGENT: PLEASE READ *** ------------------------------------------------- E-MAIL CONTAINING BUGBEAR.B WORM SENT TO ALL CUSTOMERS WITH FALSIFIED ISPADMIN "FROM:" ADDRESS ------------------------------------------------- Very early this morning a message was sent to the bcplnet-news@bcpl.net address (this mailing list) with the characteristics described below. *** THE MESSAGE APPEARS TO BE FROM ISPADMIN@BCPL.NET *** *** BUT WAS NOT ACTUALLY SENT BY ISPADMIN@BCPL.NET *** Here's what it looked like: > Date: Wed, 11 Jun 2003 00:21:20 -0400 (EDT) > From: "BCPL.NET SysAdmin" > Subject: BCPL.NET NEWS: Router Failure > > ---------------------------------------------------- > ROUTER FAILURE CAUSES PROLONGED SERVICE INTERRUPTION > ---------------------------------------------------- > At about 12:30 PM on Tuesday January 28 the router that connects us to > the rest of the Internet failed The "From:" address may show some real name other than "BCPL.NET SysAdmin", but the actual address on the "From:" line is always "ispadmin@bcpl.net". The message includes a file attachment. In every example I have seen the file name is "My Money.mny.exe". The file is an executable that installs the Bugbear.B Worm. I'll post another BCPL.NET NEWS message about Bugbear.B later today. The message was sent to bcplnet-news@bcpl.net. That is the address of the mailing list I use to make announcements to all customers, which means the message went to every BCPL.NET mailbox. Many customers have reported receiving two copies. **** The message WAS NOT actually sent by ispadmin@bcpl.net **** If you received the message described above and still have it in your Inbox, delete it. DO NOT open the file attachment! If you did open the file attachment, then your PC is now infected with the Bugbear.B Worm. We recommend that you go to the following Web address and follow the instructions there to remove the Bugbear infection from your PC: http://vil.nai.com/vil/stinger The "Stinger" utility you can download from that Web page is provided free of charge by McAfee, a well-known provider of anti-virus software. Stinger removes Bugbear.B as well as several other recent viruses. Please read the instructions on that Web page carefully before downloading Stinger! Why this happened: ----------------- The "ispadmin" address is the only address that can post BCPL.NET News messages, which normally prevents spam and virus-infected messages from being sent to the whole BCPL.NET News mailing list. However in this case the Bugbear Worm on that infected PC just happened to choose "ispadmin@bcpl.net" to put on the "From:" line of the infected message. Our Majordomo mailing list software had no way of knowing it was not really from "ispadmin", so it forwarded the message to all 10,000+ BCPL.NET mailboxes. I have modified the configuration file for the BCPL.NET News mailing list to prevent this from happening again. I'll post more information about the Bugbear.B Worm later today. Chip -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091