copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AU-2002.008 -- AusCERT Update - Updated Information Regarding BugBear Virus

Date: 03 October 2002
References: AU-2001.014  ESB-2001.131  

Click here for printable version
Click here for PGP verifiable version

AusCERT Update AU-2002.008 - Updated Information Regarding BugBear Virus
3 October 2002

Dear AusCERT member,

This update is meant to draw your attention to the recent propagation
of the BugBear virus, as described in the AusCERT Alert AL-2002.12.
Additional information regarding the propagation methods and mitigation
of this virus is described below.


	BugBear (aka W32/BugBear-A, W32/BugBear@mm, Tanatos) is a
	mass-mailing virus which is spread primarily through e-mail
	by exploiting an old vulnerability in Microsoft Outlook and
	Outlook Express.  Secondly, the virus spreads through the
	use of network drive shares.

	The mass-mailing aspect of the virus gathers e-mail addresses
	from the infected computer's hard drive and uses them to create
	new, and usually invalid, "From:" e-mail addresses.  For example,
	if the addresses found were and, the
	virus will then forge the "From:" address to appear as or  It is important to remember that
	this is not an indication that the organisation in the domain]
	name is necessarily infected with the BugBear virus.

	The virus also attempts to propagate through the use of drive
	shares in a networked computer environment.  As the virus does
	little or no checking whether the network share is a drive or
	a printer, copies of the virus are sent to Windows shared
	printers.  A symptom of this may be several pages of
	unintelligible characters to be printed for each attempt.

	Once a computer is infected, the virus opens a backdoor on
	port 36794/tcp allowing a remote user full control over the
	computer and its files, including the logging of all
	keystrokes made by a legitimate user.  Due to the keystroke
	logging capability, users who were previously infected by
	this virus are highly encouraged to change their passwords.


	Users and system administrators are encouraged to install and/or
	update anti-virus software that will detect and remove the
	BugBear virus.  Some anti-virus vendors have released separate
	tools for removal of the virus from an infected computer.

	To protect against the vulnerability in Outlook and Outlook
	Express, users are encouraged to apply appropriate patches
	available from Microsoft.  A link to the original security
	bulletin for this vulnerability is listed below.

	AL-2002.12 -- AUSCERT ALERT - W32/BugBear@MM Virus

	ESB-2001.131 -- Microsoft Security Bulletin MS01-020 - Incorrect
	MIME Header Can Cause IE to Execute E-mail Attachment

	AU-2001.014 -- AusCERT Update - Prevention and Recovery for
	Nimda Worm/Virus

	McAfee Virus Information Library

	Symantec Security Response

	Sophos Virus Analysis

	AusCERT	will continue to monitor the situation and would
	appreciate any reports regarding this activity.  If you have
	any information, comments, or questions about this threat,
	please contact us directly.


The AusCERT Team

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Version: 2.6.3i
Charset: noconv