Date: 06 June 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.10 -- AUSCERT ALERT
W32/BUGBEAR.B@MM virus spreading rapidly
06 June 2003
===========================================================================
There is a new variant of the BUGBEAR virus spreading rapidly.
This new incarnation is known as BUGBEAR.B and has similar
capabilities as the original variant BUGBEAR, although BUGBEAR.B
can infect specific executable files and is polymorphic in nature.
Information regarding the original BUGBEAR virus is available at:
AL-2002.12 -- AusCERT Alert - W32/BugBear@MM Virus
http://www.auscert.org.au/render.html?it=2447
AU-2002.008 -- AusCERT Update - Updated Information Regarding
BugBear Virus
http://www.auscert.org.au/render.html?it=2452
Some of the notable capabilities of BUGBEAR.B include the routines
allowing it to:
o Log keystrokes of users of the infected system;
o Terminate security software; and
o Open a back-door allowing attackers remote access to the
infected system.
Much like the original variant, BUGBEAR.B can spread via
unprotected network shares. It is also a mass-mailing virus that
spreads via e-mail by exploiting a previously addressed Microsoft
MIME vulnerability, in which Internet Explorer could be coopted
into automatically executing a binary file when rendering a HTML
e-mail. As this virus requires no user interaction for its
execution from an infected email, the risk of propagation is great
for sites where the original vulnerability has not been patched.
A Microsoft Update is available to fix this vulnerability:
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp
Information about the specific vulnerability can be found at:
http://www.auscert.org.au/render.html?it=1241
The mass-mailing aspect of the virus gathers e-mail addresses from
the infected computer's hard drive and uses them to create new
"From:" e-mail addresses. It is important to remember that this
is not an indication that the organisation in the domain name is
necessarily infected with the BugBear virus.
As mentioned, the BUGBEAR.B also attempts to propagate through the
use of drive shares in a networked computer environment. As the
virus does little or no checking whether the network share is a
drive or a printer, copies of the virus are sent to Windows shared
printers. A symptom of this may be several pages of unintelligible
characters to be printed for each attempt.
Once a computer is infected, the virus opens a backdoor on
port 1080/tcp allowing a remote user full control over the
computer and its files.
BUGBEAR.B is able to log keystrokes made by a legitimate user.
Due to the keystroke logging capability, users who were previously
infected by this virus are highly encouraged to change their
passwords.
The virus also has the ability to kill processes of certain
anti-virus, security and other programs. Full details of this and
the other capabilities of BUGBEAR.B is available via the links
under "References" below.
Solution
--------
Users and system administrators are encouraged to install and/or
update anti-virus software that will detect and remove the
BugBear virus. Some anti-virus vendors have released separate
tools for removal of the virus from an infected computer.
To protect against the vulnerability in Outlook and Outlook
Express, users are encouraged to apply appropriate patches
available from Microsoft. A link to the original security
bulletin for this vulnerability is listed above.
Ensure that all network file shares are disabled unless necessary
and if possible ensure that active shares are password protected.
Disallow traffic for ports 137, 139 and 445 at external
firewall/s and monitor for any unusual increase in internal traffic
to these ports that may indicate virus activity.
AusCERT advises sites to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites.
References
----------
Information about BUGBEAR.B:
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/BugBear.B-mm
http://www.sophos.com/virusinfo/analyses/w32bugbearb.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100358
http://www.f-secure.com/v-descs/bugbear_b.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B&VSect=T
http://www3.ca.com/virusinfo/virus.aspx?ID=35384
AL-2002.12 -- AUSCERT ALERT - W32/BugBear@MM Virus
http://www.auscert.org.au/render.html?it=2447
AU-2002.008 -- AusCERT Update - Updated Information Regarding
BugBear Virus
http://www.auscert.org.au/render.html?it=2452
ESB-2001.131 -- Microsoft Security Bulletin MS01-020 - Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment
http://www.auscert.org.au/render.html?it=1241
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPt/ePih9+71yA2DNAQFnTAP+IllyNQ2Etunm6Yy/ZCd0MxGJKTDoxY7p
Q5Y7NxecyHjWL+VZjzyxtPpJ+1kqzevOyMoko4WxFZg681w3d2GQJzBIxQDBcHSR
Ptw7QiyDyZkBDqahtJLOtCbV/NzQHrTkWeAMcox1jRSPObvkqjn/2QTQfcjqQ1qw
LyLB1NzSUWA=
=6l24
-----END PGP SIGNATURE-----
|