Digital Evolution
-
Take an Evil Computer Virus, and
Make it Much Worse.
The Bugbear.b
/ Bugbear.c Worm
This information
is for Windows computer users only; Linux and Macintosh users
would find this document only of passing interest at this point
in time.
The "Bugbear" worm is a recent computer
virus that uses many of the same tricks as the difficult Klez
virus to infest systems. Bugbear can be described as a "virus
system", as it is rather complex and has a great many behaviors.
The original Bugbear virus was bad enough. Now the Bugbear.b
(or .c) variety has appeared, and presents even more of a challenge.
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
And see our information on:
Virus Defense Suggestions
Need a Free
Anti-Virus Solution?
6/6/03
Bugbear.b (AKA Bugbear.c) is a fast-spreading
worm that bypasses many anti-virus systems, and infects computers
once thought to be protected from this type of threat. The virus
was re-written to be more infectious and more difficult to discover
and remove. This is a VERY new threat, introduced to us on 6/5/03
by a client with an "impossible" virus infection. As
of the evening of 6/5/03, uses of Computer Associate's InoculateIT
who are updated regularly will have protection against this new
Bugbear variant. Trend Micro PC-Cillin users, Symantec Norton
Anti-Virus, and McAfee users are also protected with the most
recent updates. Users who need free anti-virus checks might try
the free "House Call" from http://housecall.trendmicro.com.
InoculateIT Anti-Virus Users:
Users of current versions of InoculateIT 6.0 and 7.0 Anti-Virus
should have a very high degree of protection from the Bugbear
worm IF the software is updating properly. InoculateIT should
check for updates on the Internet every four hours, and download
them as needed. To check to see if your system has been updated
recently, look for the blue and yellow "Realtime Monitor"
icon in the System Tray on the bottom right of the TaskBar (if
it is on the bottom of your screen.) Right-click the Realtime
Monitor icon, and choose "About…" Check the display.
At least one of the Signature Files should have been updated
within in the past day or two, at the most. Not updated? Close
the About Box, right-click the icon again, and choose the "Download
Signature Now" option. (Note that a corporate installation
of InoculateIT will NEVER have the ability to receive updates
expire.)
About InoculateIT: This antivirus software is part of
part of Computer
Associates's E-Trust security initiative ("as seen on
TV"...). SoftProse Technology, Inc. considers this product
to be the leading anti-virus software available today. SoftProse
Technology, Inc. is pleased to make InoculateIT available to quietly and effectively
protect entire office networks from all forms of malicious software.
See details at http://www.softprose.com/solutions/antivirus_proposal.shtml
Not a Teddy Bear
Do not confuse this report with earlier virus hoaxes dealing
with a "Teddy Bear" icon. This hoax, floating around
the Internet for several years, is known as the JDBGMGR.EXE Hoax,
or the GreyBear Hoax, or the TeddyBear Hoax. It involved an arcane
programmer's tool for Java that Microsoft shipped with a teddy
bear icon. (NOTE: Microsoft is now removing support for Java
from Windows XP with recent system updates. Java for Windows
will now only be supported by software from Sun and other third
parties.)
Info, Links, and Removal Tools:
From Computer Associates (InoculateIT):
INFO: http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=44267
FREE Removal Tool for Bugbear.b (and "Bugbear.c"):
http://www3.ca.com/Files/VirusInformationAndPrevention/ClnBBear.zip
From McAfee (McAfee Anti-Virus):
INFO: http://vil.mcafee.com/dispVirus.asp?virus_k=100358
FREE Removal Tool for Bugbear, Yaha, Klez, and other Viruses:
http://vil.nai.com/vil/stinger/
(NOTE: Stinger may not resolve ALL Yaha infestations. See Symantec's
YahaFix.com removal tool for a more comprehensive free Yaha removal
tool.)
From Symantec (Norton Anti-Virus):
INFO: http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html
FREE Removal Tool for Bugbear.b:
http://securityresponse.symantec.com/avcenter/
venc/data/w32.bugbear.b@mm.removal.tool.html
From TrendMicro (PC-Cillin):
INFO: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B
FREE Removal Tool:
http://housecall.trendmicro.com
OR try their free System Cleaner utility:
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
MAJOR CHALLENGES for Non-Updated
Systems:
Older versions of Internet Explorer 5.0, 5.01,
and 5.5 can be tricked into running this virus automatically.
Run Windows Update (Start Menu>Windows Update or surf to http://windowsupdate.microsoft.com)
to install the latest "Critical Update" patches in
your computer.
Microsoft Office 2000 users should all be at
the SP-3 level. To check which level your installation is on
(Office 2000 only), run Word and go to the Help menu. Select
"About Microsoft Word", and you will see, at the top,
the name of the program ("Microsoft Word") followed
by an incremental version number and the SP level. The correct
version is now 9.0.6926 SP-3. ANY installation of Office 2000
that is not at least to the SP-1 level is in serious risk of
virus problems. Outlook 2000 is especially vulnerable. To update
your system, you will need the SP-1a and SP-3 updates (available
from http://office.microsoft.com/Downloads/default.aspx,
or check your server's Utility folder for them), AND the ORIGINAL
installation CD (or network location, if a network install- Such
as your server's Utility folder.)
PRACTICE SAFE COMPUTING
Users who have anti-virus software installed that is NOT being
updated are strongly warned that this is only an illusion of
protection. Anti-Virus software is WORSE than useless if it is
not updated regularly- It is actually dangerous as you THINK
you may have protection. Users who have NO Anti-Virus protection
are strongly encouraged to get some as soon as possible; it should
no longer be considered optional.
SoftProse Technology, Inc. recommends Computer Associate's InoculateIT
as the world's best anti-virus software. Corporate users can
see a proposal at:
http://www.softprose.com/solutions/antivirus_proposal.shtml.
For home users, we either suggest the consumer version of InoculateIT
or solutions from McAfee.com.
HOW DO I DETECT BUGBEAR.B?
Difficult to do without anti-virus software. Below are four major
clues:
1) A strange EXE file in the STARTUP folder (Right-Click Start
Menu, select Open Start menu (if XP, choose ALL USERS). Open
Programs, then Startup. Look there for a "strange"
exe. Note that deleting it will not stop Bugbear; you must use
a tool to clean the infection from the computer.)
2) System listening on TCP Port 1080 (System administrators may
be able to check this.)
3) Spawns Print Jobs on Network Printers - Random print jobs
are sent to network printers.
4) CHECK THE SMTP INFO IN THE EMAIL HEADER:
UNLIKE earlier viruses Bugbear.b / .c does NOT use it's own SMTP
server. Instead, it takes the SMTP server setting from the local
computer. (Many systems now block the SMTP technique used by
precursor viruses such as SirCam and Klez.) Therefore, it should
be possible to interpret the full Email header of infected messages
to determine more information about the ACTUAL COMPUTER that
is infected. Most users are not used to reading this information,
but system administrators should be able to. (This technique
of reading the SMTP server from an Email's header was how SoftProse
Technology, Inc. was first able to detect this virus on a client's
system.)
WHAT DOES Bugbear.b / Bugbear.c
DO?
Mass-mailer, Network Share Propagator, Keylogger, Remote Access
Trojan, Polymorphic Parasitic File Infector, Security Software
Terminator, Random Printing, AND Bank Robbery.
Mass-mailer -
Searches files (not just address books) for Email addresses,
and assembles it's own address book.
Picks a random address as the FROM address on the Email, so the
person who SEEMED to send the Email may not have been that actual
person.
Does NOT contain it's own SMTP server! This is sort of new- It
reads the SMTP server for the current computer from the standard
registry entry of
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager"
The Email messages it sends have any one of fifty or so subject
names, and a large collection of random attachment names. (If
Email looks weird, don't run it!)
Network Share Propagator
Is your infected computer
on a computer network? Bugbear will infect a network share, and
can distribute itself this way to other users. (Protecting servers
with anti-virus software is very important!) Once a single machine
is infected, ALL networked computers can be infected from shared
drives on a local area network.
Keylogger
Bugbear records your
keystrokes and then sends them somewhere. Passwords and credit
card numbers are very much at risk.
Remote Access Trojan
An outside user can take
over an infected machine and control it from anywhere in the
world. (TCP Port 1080) Of course, Bugbear also announces which
machines are ready for this "special treatment". (Infected
users who are behind NAT firewalls should be protected from this
particular form of abuse.)
Polymorphic Parasitic File
Infector
Bugbear infects certain
EXE files. It is a long list, which now includes the popular
AdAware 6.0 (from www.lavasoftusa.com - Why do you need this
free software? Find out.)
Security Software Terminator
Attacks some types of
anti-virus software, and either destroys or suppresses it. (Norton,
McAfee, Trend Micro- Has either a very limited or no effect on
InoculateIT.)
Random Printing
Prints random documents
on available network printers.
Bank Robbery
Yes, Bank Robbery. If
an infected computer has one of many banking institution's domain
names, the virus may set your system to automatically dial a
phone number. This number may be blank (as it appeared during
testing), or may be able to be set remotely or at some future
time. Once connected with the computer's modem, the other features
of the virus can come into play and may permit deep level unauthorized
access into major financial systems. This appears to be a devious
way to program around standard bank security policies of "no
Internet, no way". Many banks and financial institutions
are still reliant on good old modem technology.
|
