Date: 03 October 2002
References: AU-2001.014 ESB-2001.131
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2002.008 - Updated Information Regarding BugBear Virus
3 October 2002
Dear AusCERT member,
This update is meant to draw your attention to the recent propagation
of the BugBear virus, as described in the AusCERT Alert AL-2002.12.
Additional information regarding the propagation methods and mitigation
of this virus is described below.
BugBear (aka W32/BugBear-A, W32/BugBear@mm, Tanatos) is a
mass-mailing virus which is spread primarily through e-mail
by exploiting an old vulnerability in Microsoft Outlook and
Outlook Express. Secondly, the virus spreads through the
use of network drive shares.
The mass-mailing aspect of the virus gathers e-mail addresses
from the infected computer's hard drive and uses them to create
new, and usually invalid, "From:" e-mail addresses. For example,
if the addresses found were firstname.lastname@example.org and email@example.com, the
virus will then forge the "From:" address to appear as
firstname.lastname@example.org or email@example.com. It is important to remember that
this is not an indication that the organisation in the domain]
name is necessarily infected with the BugBear virus.
The virus also attempts to propagate through the use of drive
shares in a networked computer environment. As the virus does
little or no checking whether the network share is a drive or
a printer, copies of the virus are sent to Windows shared
printers. A symptom of this may be several pages of
unintelligible characters to be printed for each attempt.
Once a computer is infected, the virus opens a backdoor on
port 36794/tcp allowing a remote user full control over the
computer and its files, including the logging of all
keystrokes made by a legitimate user. Due to the keystroke
logging capability, users who were previously infected by
this virus are highly encouraged to change their passwords.
Users and system administrators are encouraged to install and/or
update anti-virus software that will detect and remove the
BugBear virus. Some anti-virus vendors have released separate
tools for removal of the virus from an infected computer.
To protect against the vulnerability in Outlook and Outlook
Express, users are encouraged to apply appropriate patches
available from Microsoft. A link to the original security
bulletin for this vulnerability is listed below.
AL-2002.12 -- AUSCERT ALERT - W32/BugBear@MM Virus
ESB-2001.131 -- Microsoft Security Bulletin MS01-020 - Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment
AU-2001.014 -- AusCERT Update - Prevention and Recovery for
McAfee Virus Information Library
Symantec Security Response
Sophos Virus Analysis
AusCERT will continue to monitor the situation and would
appreciate any reports regarding this activity. If you have
any information, comments, or questions about this threat,
please contact us directly.
The AusCERT Team
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----