Dell 15" Laptop Deals|
Bugbear.b is on the prowl By Robert Vamosi This variation of an old worm could steal passwords and credit card numbers (6/5/03)  A new variation of the Bugbear worm from last September is spreading rapidly across the Internet. Bugbear.b (w32.bugbear.b@mm) is written in Visual C and has been compressed to 72,192 bytes. It is similar to the original Bugbear worm in that it spreads by e-mail or shared network files, attempts to shut down popular antivirus and firewall apps, and opens a port on infected computers for remote administration. Bugbear.b contains a keystroke-logging Trojan horse that could be used to steal passwords or credit card information from infected computers. Bugbear infects all versions of Windows but does not infect Mac, Unix, or Linux systems. Because Bugbear is spreading rapidly via e-mail and could steal personal information, this worm rates a 7 on the CNET Virus Meter.
How it works Bugbear contains its own SMTP engine and uses Microsoft Outlook to send copies of itself to all e-mail addresses found on an infected system. It will avoid addresses containing such words as mailer-daemon, postmaster, and spam. The subject of the e-mail is either selected from a long list of variations or taken from a random filename on an infected computer. The body text of the e-mail may contain the I-Frame exploit. Users who have not installed the patch MS01-020 from Microsoft may find that the virus will automatically execute whether or not they open the e-mail in Microsoft Outlook. The attached file has an .exe, .scr, or .pif extension. Bugbear is also capable of attaching two extensions to the attached e-mail file, such as File.xls.exe. On a network, Bugbear.b waits after infecting the first computer before searching the network drives for additional victims. It tries to infect files in either Program Files or in the Windows folder itself, including those in this list from the antivirus-software vendor F-Secure: winzip\winzip32.exe kazaa\kazaa.exe ICQ\Icq.exe DAP\DAP.exe Winamp\winamp.exe AIM95\aim.exe Lavasoft\Ad-aware 6\Ad-aware.exe Trillian\Trillian.exe Zone Labs\ZoneAlarm\ZoneAlarm.exe StreamCast\Morpheus\Morpheus.exe QuickTime\QuickTimePlayer.exe WS_FTP\WS_FTP95.exe MSN Messenger\msnmsgr.exe ACDSee32\ACDSee32.exe Adobe\Acrobat 4.0\Reader\AcroRd32.exe CuteFTP\cutftp32.exe Far\Far.exe Outlook Express\msimn.exe Real\RealPlayer\realplay.exe Windows Media Player\mplayer2.exe WinRAR\WinRAR.exe adobe\acrobat 5.0\reader\acrord32.exe Internet Explorer\iexplore.exe winhelp.exe\notepad.exe hh.exe mplayer.exe regedit.exe scandskw.exe Bugbear also attempts to terminate any active antivirus and firewall software. The worm installs a keystroke-logging app in the Windows System directory. The keystroke-logging app uses a random name that contains seven characters followed by .dll. Finally, the worm opens TCP port 1080 to listen for additional commands or to allow a remote attacker access to the infected system. Prevention Users who have not installed the I-Frame patch (MS01-020) should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Bugbear.b. Removal Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, iDefense, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro. For the latest update on this worm, see News.com |
  
|
