 sj |
||
|
||
Tech: Bugbear Virus
|
|
|
|||||||
|
Tech: Bugbear Virus |
Share Thread
|
||||||
|
Subject: Tech: Bugbear Virus From: Jon Freeman Date: 06 Oct 02 - 08:34 PM Please look out for this one. here is one reference. As far as I can make out, it even has the capabilities of using message bodies and I just got one version of it that looks to be a reply to someone I don't think I know to someone I have met through Mudcat which reads to me as being genuine. I have also posted a little to umf where I first saw the subject raised Jon |
|
Subject: RE: Tech: Bugbear Virus From: Sorcha Date: 06 Oct 02 - 08:39 PM I got this one once today, but I'm getting Klez 32 about 6 times a day. I'm glad Norton is catching it. I have contacted the server, (RoadRunner) for the address the Klez is coming from and have had no satisfaction at all. They want me to open the message, for crap's sake! |
|
Subject: RE: Tech: Bugbear Virus From: wysiwyg Date: 06 Oct 02 - 08:47 PM Security Response: W32.Bugbear@mm NOTE: Due to an increased rate of submissions, Symantec Security Response has upgraded this threat from a Category 3 to a Category 4 as of October 2, 2002. W32.Bugbear@mm is rapidly spreading to Windows users. The subject and attachment name of incoming emails are randomly chosen. The attachment will have a double extension ending in .exe, .scr, or .pif. W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22. Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure] Type: Worm Infection Length: 50,688 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me |
|
Subject: RE: Tech: Bugbear Virus From: wysiwyg Date: 06 Oct 02 - 08:55 PM Oops, of course that's from Symantec. ~S~ |
|
Subject: RE: Tech: Bugbear Virus From: GUEST,Hille Date: 06 Oct 02 - 10:30 PM We've had a flurry of this amongst the Sussex clubs mailing lists - there is a removal tool http://download.nai.com/products/mcafee-avert/stingersetup.exe Seems to work quite well - and poss advising everyone in one's address book - otherwise it slips thru and just keeps going the rounds! Cheers, Hille |
|
Subject: RE: Tech: Bugbear Virus From: mooman Date: 07 Oct 02 - 04:39 AM Yes...this one's been a pain in the neck for me as systems manager of 15 networked PCs (my "bonus" for doing two and a half peoples' jobs already, in lieu of a pay rise!) in the small organization I work in. Luckily, we caught it in time but it's still coming in from all over. Thank heavens for Macs at home! Moo |
|
Subject: RE: Tech: Bugbear Virus From: nutty Date: 07 Oct 02 - 05:22 AM It also (as I understand it) has the capability to disable anti-virus software |
|
Subject: RE: Tech: Bugbear Virus From: Mr Red Date: 07 Oct 02 - 07:34 AM Yea got a double extension .scr and trashed it. Norton (updated 5 days ago) did not trap it. What is an scr extension? - I guessed screen but decided I could ignore it but it definitely came to an e-mail address I don't use much. However I got a global apology from someone who emails a long list so thet may be the vector but why did it not come to the expected address? Who knows. Thank heavens for the wit to stick to my policy. Trash attachments unless they are of a known provenence and they don't execute and I know what the file does. So only pictures to me - no HTML, no Office files, no. |
|
Subject: RE: Tech: Bugbear Virus From: kendall Date: 07 Oct 02 - 07:50 AM How do I recognize this in order to dump it? |
|
Subject: RE: Tech: Bugbear Virus From: nutty Date: 07 Oct 02 - 07:53 AM You recognise it by the size of the attachment ..... 50,688 bytes exactly. |
|
Subject: RE: Tech: Bugbear Virus From: treewind Date: 07 Oct 02 - 08:25 AM (Mr Red:) So only pictures to me - no HTML, no Office files, no. Careful with pictures too - those double extensions mean what shows as nicepic.jpg could really be nicepic.jpg.exe ! (or not-so-nice-pic.jpg.exe) I think SCR is a conventional extension for a screensaver. A lot of viruses spread as a "try this cool new screensaver I just downloaded" type of message. Sophos also have a Bugbear removal kit: www.sophos.com Their site has had so many hits recently they've switched to a low-graphics version to speed things up. Anahata |
|
Subject: RE: Tech: Bugbear Virus From: GUEST Date: 07 Oct 02 - 08:37 AM .scr is a screen saver. Bugbear can open itself by using some vulnarability in OE. MS do have a patch to prevent this. What really concered me about this one was the message bodies that came with it. Two of them were email messages between folk music people and as mentioned above the second involved someone I know. I can only assume that it lifts random messages from the OE archive. An implication of this is that you could be nicely protected, perhaps not even running any MS software, exchange emails with someone else who is not protected and thier system could pass on the emails you were involved with to third parties... Jon |
|
Subject: RE: Tech: Bugbear Virus From: GUEST,Peter from Essex Date: 07 Oct 02 - 11:04 AM Don't count on the attachment size being constant. With hotmail I don't see any attachment or message text but there is a massive payload (126k in the last one). So far none of the handfull of people who have my POP3 address have been infected. |
|
Subject: RE: Tech: Bugbear Virus From: treewind Date: 07 Oct 02 - 11:17 AM Yup, it's already happened - someone getting a snippet of a message between a business rival and a common contact. It wasn't too embarrassing, but it's only a matter of time before a serious security leak happens. Anahata |
|
Subject: RE: Tech: Bugbear Virus From: Joan from Wigan Date: 07 Oct 02 - 03:03 PM Not only had the virus disabled my Norton Anti-Virus software, but when I tried to download the fix from Symantec, I found the "save" facility was also disabled - clever little bug, this! So after tearing my hair out, I visited the Sophos website. They not only have the fix to download, they will also send it to you as an email attachment, for which I was ecstatically grateful. Many thanks, Anahata, for that link. Joan |
| Share Thread: |