ITSD Computing and Communications Services News
October, 2002

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: Watch Out for the Bugbear Worm (Another Email-Forging Worm)

A new Windows worm, "Bugbear," has surfaced and is spreading fast. Like other recent quick-spreading worms, Bugbear also forges emails. It spreads via email attachments and also via unprotected shares (non-passworded shares that allow anyone to write to a system's hard drive). It uses a variety of methods, including assigning multiple extension names (such as .pif, .scr, and .exe) to attachments and varying the subject line, to evade being detected.

Bugbear writes itself into shared folders, stops security software such as anti-virus programs from running, puts a keystroke logger on every system it infects, sets up a backdoor Trojan program that listens on port 36794, and then sends copies of itself via email, forging the identity of the sender. Bugbear is not destructive, but it can steal sensitive information such as credit card numbers.

The best preventative measures are:

  1. Ensuring at a minimum that no share allows Everyone to write;
  2. Running anti-virus software and keeping it updated; and
  3. avoiding opening attachments unless you know who sent them and what they are.

Read more about the Bugbear worm.

If your system becomes infected, you can obtain a Bugbear removal tool.

Windows 95, 98 and ME users need to beware of the new Opaserv worm. This one, like Bugbear, attacks systems by finding unprotected shares and then copying itself to scrsvr.exe on each victim system. It also changes the win.ini file in the path:

C:\windows\win.ini

and then creates a new tmp.ini file in C: with the following entry:

run= c:\windows\scrsvr.exe

Some versions of Opaserv try to update themselves by visiting a Web site and then downloading a file, scrupd.exe. Opaserv then searches for new systems to infect. Note that Opaserv is not programmed to cause damage to systems.

The best preventative measures are basically the same as those for preventing Bugbear infections with one exception--if you are a W9X or ME user, you also need to ensure that your system has a patch for a vulnerability that allows someone to connect to passworded shares by simply entering the first letter of the password). If your system becomes infected, you can eradicate Opaserv using a removal tool from http://securityresponse.symantec.com/avcenter/.

Last month the LBNL VirusWall stopped 10,177 worms and viruses from entering our network. The KLEZ.H worm (7,552 instances) continued to be the most prevalent, followed by the YAHA.E worm (2,538 instances). NIMDA.E came in a distant third with 44 instances detected and eradicated. Information about these worms is available from the Computer Protection Program.