|
The Bugbear Worm
General
Information
A new Windows worm, "Bugbear,"
has surfaced and is spreading fast — via email attachments
and also via unprotected shares (shares that allow anyone
to write to a system's hard drive). It uses a variety of methods,
including assigning multiple extension names (such as .pif,
.scr, and .exe) to attachments and varying the subject line,
to evade being detected. Bugbear writes itself into shared
folders, stops security software (such as anti-virus programs)
from running, puts a keystroke logger on every system it infects,
sets up a backdoor Trojan program that listens on port 36794,
and then sends copies of itself via email. Bugbear is not
destructive, but it can steal sensitive information such as
credit card numbers.
The best preventative measures
are:
- Ensure that all shares do not allow Everyone
to write,
- Run antivirus software and keep it updated,
and
- Avoid opening attachments unless you know
who sent them and what they are.
If your system becomes infected, try Symantec's
Bugbear
removal tool. See also F-Secure's
and TRENDMicro's
technical summaries.
Top
The Bugbear.B
Worm
The W32.Bugbear.B@mm worm is spreading around the Internet.
A mutation of 32.Bugbear@mm, Bugbear.B spreads in Windows
systems through email attachments and unprotected shares.
This worm sends an incorrectly formed MIME (Multipurpose Internet
Mail Extensions) header in an attempt to cause unpatched versions
of the Internet Explorer to run instructions in an email attachment
when a users is viewing or previewing a message that has been
infected. It not only infects certain system executables and
makes numerous changes in an infected system's Registry, but
also plants keystroke-logging and backdoor access software.
Additionally, it attempts to stop anti-virus software and
personal firewalls from running. Worse yet, Bugbear.B has
routines that locate and then send sensitive information,
including passwords and data gleaned through keystroke capture,
to certain e-mail addresses. The information sent includes
passwords and key strokes that users enter. Certain types
of information (personal data about individuals, medical data,
and so forth) stored on any Windows system is thus particularly
at risk! Bugbear.B also opens port 1080, something you can
verify by bringing up a command prompt and then entering:
netstat -an
This allows attackers to connect to any infected system to
steal or delete files, kill processes, and so forth.
The best way to prevent Bugbear.B infections is to keep
your system's antivirus software up-to-date, ensure that you
have installed the recent
cumulative patch for Internet Explorer, and close all
unprotected shares (shares that allow read-write access to
anyone). If your system becomes infected, your system administrator
or the LBNL Help Desk (help@lbl.gov)
should download and then run Symantec's
Bugbear.B removal tool.
Top
|
