copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AU-2002.008 -- AusCERT Update - Updated Information Regarding BugBear Virus

Date: 03 October 2002
References: AU-2001.014  ESB-2001.131  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

AusCERT Update AU-2002.008 - Updated Information Regarding BugBear Virus
3 October 2002

Dear AusCERT member,

This update is meant to draw your attention to the recent propagation
of the BugBear virus, as described in the AusCERT Alert AL-2002.12.
Additional information regarding the propagation methods and mitigation
of this virus is described below.

Description:

	BugBear (aka W32/BugBear-A, W32/BugBear@mm, Tanatos) is a
	mass-mailing virus which is spread primarily through e-mail
	by exploiting an old vulnerability in Microsoft Outlook and
	Outlook Express.  Secondly, the virus spreads through the
	use of network drive shares.

	The mass-mailing aspect of the virus gathers e-mail addresses
	from the infected computer's hard drive and uses them to create
	new, and usually invalid, "From:" e-mail addresses.  For example,
	if the addresses found were aaa@aaa.com and bbb@bbb.com, the
	virus will then forge the "From:" address to appear as
	aaa@bbb.com or bbb@aaa.com.  It is important to remember that
	this is not an indication that the organisation in the domain]
	name is necessarily infected with the BugBear virus.

	The virus also attempts to propagate through the use of drive
	shares in a networked computer environment.  As the virus does
	little or no checking whether the network share is a drive or
	a printer, copies of the virus are sent to Windows shared
	printers.  A symptom of this may be several pages of
	unintelligible characters to be printed for each attempt.

	Once a computer is infected, the virus opens a backdoor on
	port 36794/tcp allowing a remote user full control over the
	computer and its files, including the logging of all
	keystrokes made by a legitimate user.  Due to the keystroke
	logging capability, users who were previously infected by
	this virus are highly encouraged to change their passwords.

Mitigation:

	Users and system administrators are encouraged to install and/or
	update anti-virus software that will detect and remove the
	BugBear virus.  Some anti-virus vendors have released separate
	tools for removal of the virus from an infected computer.

	To protect against the vulnerability in Outlook and Outlook
	Express, users are encouraged to apply appropriate patches
	available from Microsoft.  A link to the original security
	bulletin for this vulnerability is listed below.
	
References:

	AL-2002.12 -- AUSCERT ALERT - W32/BugBear@MM Virus
	http://www.auscert.org.au/render.html?it=2447

	ESB-2001.131 -- Microsoft Security Bulletin MS01-020 - Incorrect
	MIME Header Can Cause IE to Execute E-mail Attachment
	http://www.auscert.org.au/render.html?it=1241

	AU-2001.014 -- AusCERT Update - Prevention and Recovery for
	Nimda Worm/Virus
	http://www.auscert.org.au/render.html?it=130

	McAfee Virus Information Library
	http://vil.mcafee.com/dispVirus.asp?virus_k=99728

	Symantec Security Response
	http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html

	Sophos Virus Analysis
	http://www.sophos.com/virusinfo/analyses/w32bugbeara.html


	AusCERT	will continue to monitor the situation and would
	appreciate any reports regarding this activity.  If you have
	any information, comments, or questions about this threat,
	please contact us directly.

Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPZx3bSh9+71yA2DNAQH/6gQAmWxFo5xum6VDcEsWqeYcXrUKUewo7A6H
bfdKOA05FhnaowaBmdifUVsp/UTM7//Wu44VYRZn2oh1smGnF0iUbCTAKg6je+DZ
Lo+dmN1Sghl59wBgtLtkzcRdUE5VYCLm3xsg4dnC2UMg/kc/GS9KSsyloF2UmC25
/KMXdLVX0+c=
=MUlI
-----END PGP SIGNATURE-----