The W32.Bugbear.B@mm worm is currently causing more trouble than any other new worm. A mutation of W32.Bugbear@mm, Bugbear.B spreads in Windows systems through email attachments and unprotected shares. This worm sends an incorrectly formed MIME (Multipurpose Internet Mail Extensions) header in an attempt to cause unpatched versions of the Internet Explorer to run instructions in an email attachment when a user is viewing or previewing a message that has been infected. It not only infects certain system executables and makes numerous changes in an infected system's Registry, but also plants keystroke-logging and backdoor access software. Additionally, it attempts to stop anti-virus software and personal firewalls from running.

Worse yet, Bugbear.B has routines that locate and then send sensitive information, including passwords and data gleaned through keystroke capture, to certain email addresses. The information sent includes passwords and key strokes that users enter. Certain types of information (personal data about individuals, medical data, and so forth) stored on any Windows system are thus particularly at risk! The best way to prevent Bugbear.B infections is to keep your system's anti-virus software up to date, ensure that you have installed the recent cumulative patch for Internet Explorer, and close all unprotected shares (shares that allow read-write access to anyone--visit http://www.lbl.gov/ITSD/Security/systems/windows.html#95). If your system becomes infected, your system administrator should download and then run Symantec's Bugbear.B removal tool.

Last month the LBNL virus wall once again detected and eradicated the Klez.H worm more frequently (1,768 instances) than any other virus or worm. Klez has been the most prevalent worm for well over one year now; no end for this destructive worm is in sight.

The new Sobig.B worm (also known as the Palyh or the Mankx worm) came in second with 994 instances identified and eradicated. The worm arrives as an attachment in messages that appear to be from Microsoft support (support@microsoft.com). Any users who open this attachment infect their systems. Sobig.B creates and then sends messages to addresses it finds in address books of systems it infects. Fortunately, Sobig.B is programmed to become benign on June 7, meaning that as of this date it can no longer spread. See http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive.html#Sobig.B for additional information concerning Sobig.B.

Coming in a distant third are various versions of the Yaha worm (see http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive.html#yaha) with a total of 200 instances detected and eradicated. All-in-all, the LBNL virus wall eradicated a total of 3350 instances of viruses and worms last month, once again attesting to the value of this service that the CITG group provides to the LBNL user community.