copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2002.12 -- W32/BUGBEAR@MM Virus

Date: 01 October 2002
References: AU-2002.008  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2002.12 -- AUSCERT ALERT
                           W32/BUGBEAR@MM Virus
                              01 October 2002

===========================================================================


                            AusCERT Alert Summary
                            ---------------------

	There is a new Win32 virus called BUGBEAR that spreads via e-mail
	and network shares. It exploits a previously addressed Microsoft
	MIME vulnerability, in which Internet Explorer could be coopted
	into automatically executing a binary file when rendering a HTML
	e-mail.  As this virus requires no user interaction for its
	execution from an infected email, the risk of propagation is great
	for sites where the original vulnerability has not been patched.
	There has been a recent increase in NETBIOS port 137 (UDP) scanning
	on the Internet, possibly as a result of this virus.

	Information about Microsoft MS01-020 vulnerability and updates:

	http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
	http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

	Information about BUGBEAR:

	http://www.messagelabs.com/viruseye/report.asp?id=110
	http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR.A
	http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
	

	Solution
	--------

	Install patches available from Microsoft to address the MS01-020
	vulnerability.

	When possible, upgrade all anti-virus software to use the latest
	definition files as soon as they become available.

	Ensure that all network file shares are disabled unless necessary
	and if possible ensure that active shares are password protected.

	Disallow traffic for ports 137 and 139 at external firewall/s and
	monitor for any unusual increase in internal traffic to these
	ports that may indicate virus activity.

	AusCERT advises members to disseminate and take action on this
	information to prevent any undesirable activity by this virus
	within their sites.

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPZl37Ch9+71yA2DNAQGdUAP/cP811/mnZ23+2bAXhL+5djaWFDZG3UVC
vlDB8o4xTgWbFCX6jH4tyzL4jB0f76GJVtZ0L1LJ5FOddnpfLVFOxA+hXxZvBtzC
Xu90GEYY4GOTdqLEayt8cCXJHYbGZtPKJcIhvdNZ20v3rnR/ogWgRDF9HCUeRgzx
8yw4GlFLjUM=
=vf7k
-----END PGP SIGNATURE-----