Help & HowTo: Bugbear worm
Published: 01 Oct 2002 07:57 BST
Antivirus companies are warning users of an Internet worm with a potentially dangerous payload that is infecting PCs around the world. Antivirus firm Messagelabs said it had caught nearly 6,000 instances of the worm -- called Bugbear -- by Tuesday morning.
Bugbear contains a Trojan horse that attempts to steal passwords and credit card information. Bugbear (w32.bugbear@mm), also known as Tanatos, is about 50KB long and is compressed with the UPX file compressor. Users of Internet Explorer 5.01 or 5.5 who have not patched the Incorrect Mime header flaw are vulnerable to the worm's e-mail attack.
All versions of Windows are vulnerable to this worm's ability to arrive via open file sharing. Users of Macintosh, Linux, and Unix are not at risk. Since Bugbear sends infected e-mail and contains a potentially dangerous Trojan horse, it ranks a 6 on the ZDNet Virus Meter.
How it works
Bugbear arrives via email with no distinct characteristics except for an attached file that is always 50,688 bytes long. The subject line and text may be taken from existing e-mail. Bugbear also arrives through network file sharing.
When run, Bugbear adds itself to the System subdirectory of the Windows folder as four random letters followed by .exe (for example, windows\System\zayb.exe). It also changes the Registry in order to run each time Windows is loaded, once again using random letters. Finally, it adds itself to the Startup folder as three random letters followed by .exe (for example, Startup\zay.exe).
The Trojan horse part of this worm first terminates many popular firewall and antivirus programs. The Trojan then launches a keystroke-logging program whose filename is a variable number of random letters followed by .dll (for example, avbxcydz.dll). Keystroke-logging programs memorize the keystrokes typed when filling out login information (passwords) or filling out shopping forms online (credit card information). Files saved by these programs can later be accessed remotely by malicious users. The Trojan component of this worm opens port 36794.
Prevention
Users of Internet Explorer 6 should be safe from the e-mail portion of this worm. Users of IE 5.01 and 5.5 who have not installed the Infected Mime header patch found in MS01-020 should do so. If you do not need to share files on a network, you should also turn off file sharing within Windows.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure,McAfee, and Sophos.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
20 out of 43 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
