Date: Wed, 11 Jun 2003 16:48:06 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Bugbear.B Worm Virus Alert --------------------------- VIRUS ALERT: BUGBEAR.B WORM --------------------------- In a BCPL.NET News message dated October 3, 2002 I described a virus known as the Bugbear Worm. On June 4, 2003 a new variant of Bugbear called "Bugbear.B" began spreading very rapidly across the Internet. It is also known as the "Tanatos Worm" and the Kijmo Worm", and by a variety of other names that contain either "Bugbear", "Tanatos", or "Kijmo". We have seen a number of Bugbear.B-infected e-mails here at BCPL.NET, including two sent out early this morning disguised as BCPL.NET News messages (see http://www.bcpl.net/news/news.2003061100.URGENT if you missed my warning about the bogus BCPL.NET News messages). The Bugbear.B Worm infects Windows PCs. It does not infect Macintosh OS or UNIX computers. The Bugbear.B Worm has been rated as a serious threat by most of the major virus information Web sites. How Bugbear.B Spreads --------------------- When a PC becomes infected by Bugbear.B, the worm mass-mails itself to all e-mail addresses found on the infected PC. This is the primary means by which Bugbear.B spreads. However if the infected PC is on a network, Bugbear.B can infect other PCs on the network that have open network shares. Bugbear.B is seen primarily in the form of an e-mail file attachment. When a PC becomes infected, Bugbear compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. The e-mail carrying the infected file attachment can take many forms, so it is not easy to identify. The infected e-mail has the following characteristics: Subject: The "Subject:" line of the infected message can be selected at random from a list programmed into the Bugbear.B Worm, or it can be the "Subject:" line from an e-mail message stored on the infected PC. From Address: The address on the "From:" line is almost never the address of the infected PC's owner. Sometimes it is chosen at random from the list of target addresses compiled by Bugbear. Sometimes it is a completely bogus address made up from pieces of several different addresses from the list compiled by Bugbear. If the "Subject:" line is taken from a stored e-maiol message, then the "From:" address is usually taken from that same message. Message Text: Sometimes the message text is crafted to convince the reader to open the infected file attachment. Or the message text may be empty, or it may contain random text taken from a file on the infected PC. If the "Subject:" and "From:" address are taken from a stored e-mail message, then the message text will usually be either the full or partial text of the same message. File Attachment: The name of the infected file attachment is sometimes chosen at random from a list of names built into Bugbear. Sometimes it is the name of a file found in the "Documents" or "My Documents" folder on the infected PC. The filename extension can be almost anything. Sometimes there is a double extension, for example "photo.gif.exe". The file attachment size is usually between 72 K - 74 K. Sometimes more than one file attachments will accompany the message, but only one carries the infection. Sometimes the additional attachment is an e-mail message previously sent by or received by the owner of the infected PC, which raises the possibility of private information being broadcast to others. The Bugbear.B Worm infection is not carried by e-mail intentionally sent by the owner of the infected PC. Bugbear sends out its infected e-mail without the knowledge of the PC's owner, using mailer routines built into the worm. How Bugbear.B Infects A PC -------------------------- The primary cause of infection is opening an infected file attachment received via e-mail. o If the recipient of a Bugbear.B-infected e-mail intentionally opens B file attachment, his/her PC will become infected. o Even if the recipient does not intentionally open the attachment, Bugbear.B is able to exploit bugs in certain versions of Internet Explorer that causes the infected file attachment to open automatically. Outlook and Outlook Express use Internet Explorer as a "helper program" to open certain types of file attachments. Several versions of Internet Explorer have bugs that makes it possible for certain types of e-mail file attachments to open automatically even when the "auto open" option is disabled in Outlook or Outlook Express. These "auto-open" bugs have been widely publicized and Microsoft provided patches for the affected versions of Internet Explorer, but a lot of people are still using the buggy unpatched versions of Explorer. The bugs are present in Internet Explorer 5.01 (unless Service Pack 2 has been applied) and Internet Explorer 5.5. The patches are available from the Microsoft TechNet Web site at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp http://www.microsoft.com/technet/security/bulletin/MS01-027.asp Microsoft no longer supports versions of Internet Explorer older than 5.01 so will not say whether they are affected, but it is generally assumed that they are. If you have an older version you should upgrade to a newer version. What Bugbear.B Does To The Infected PC -------------------------------------- Bugbear.B runs automatically every time the infected PC starts up. It does four things while it is running:: o Every 30 seconds it checks for the presence of processes associated with anti-virus software and personal firewalls. If found, it stops those processes. This disables anti-virus and personal firewall protection on the infected PC. o It sends infected e-mail to all addresses found on the infected PC, as described above. o It installs a "keylogger" on the infected PC that records the user's keystrokes. It e-mails the contents of this log to a list of e-mail addresses (presumably belonging to the creator of Bugbear.B) every two hours if the PC is connected to the Internet. o If Bugbear.B determines from the default e-mail address on the PC that the PC belongs to a banking institution, in addition to e-mailing the keystroke log it also e-mails network passwords cached on the PC. o It creates a "back door" that allows a hacker to gain access to and execute commands on the infected PC. How To Protect Your PC From Bugbear.B Worm Infection ---------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about Bugbear.B, then it will stop Bugbear.B before it can infect your PC. However the virus description database must be *very* new. The Bugbear.B Worm was discovered and described by the major anti-virus software vendors on June 4, 2003, so a virus description database older than that will not enable your anti-virus software to detect and stop Bugbear.B. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o If you use Microsoft Internet Explorer and Outlook or Outlook Express make sure your copy of Explorer is a version that is not affected by the "auto-open" bug described above under "How Bugbear.B Infects A PC". If you have a version of Internet Explorer affected by the "auto-open bugs", either apply the patches to fix the bugs, or upgrade to a newer version of Explorer. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. How To Remove Bugbear.B From An Infected PC ------------------------------------------- If your PC becomes infected by Bugbear.B, and if you have anti-virus software on the PC, attempting to run the anti-virus software will not remove the infection because. Your virus definition database must be too old to detect Bugbear.B, otherwise your anti-virus software would not have allowed the worm to infect your PC in the first place. Any attempt to update the virus definition database and then scan your PC with the updated software will probably fail, because Bugbear.B watches for and terminates any running processes associated with anti-virus programs. If you have anti-virus software on your PC, go to the support Web site for that software to get the vendor's recommendations for dealing with Bugbear.B. If you do not have anti-virus software, or if you have trouble with the software vendor's instructions for dealing with a Bugbear-infected PC, or if you just want a quick fix, we recommend that you download and run the "Stinger" utility provided free of charge by McAfee. You will find it on the McAfee web site at: http://vil.nai.com/vil/stinger/ Stinger will remove Bugbear.B and several other worms and virus. Please follow the instructions on the Stinger web page very carefully! More Information About The Bugbear.B Worm: ----------------------------------------- The following URLs will take you to detailed information about Bugbear.B on several well-known anti-virus Web sites: http://www.F-Secure.com/v-descs/bugbear_b.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=100358 http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html http://www.sophos.com/virusinfo/analyses/w32bugbearb.html http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=133 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Who to contact about what @BCPL.NET: see http://www.bcpl.net/contacts/