"Bugbear is a double-edged worm which spreads by sending itself inemails and by copying itself around a network," said Graham Cluley,senior technology consultant at Sophos Anti-Virus. "In this respect, itis much like Klez and Elkern, which are the chart-topping viruses of2002. So the bottom line on Bugbear is that following best practiceguidelines for 'Safe Hex' will provide almost complete protectionagainst it."
The worm attempts to exploit vulnerabilities in some versions ofMicrosoft Outlook, Microsoft Outlook Express, and Internet Explorer.These vulnerabilities allow an executable attachment to runautomatically, even without being double-clicked. If the worm isactivated, several new files will appear in the Startup folder. Theirnames consist of letters of the alphabet randomly chosen by the virus,such as xxx.EXE, yyyy.EXE or zzzzzzz.DLL.
Sophos suggests companies take the following steps:
1. Update corporate anti-virus software now to detect and prevent theBugbear virus. If procedures for rapid updates are not in place,implement them now, as these are bound to be needed again.
2. If possible, block all Windows programs at the email gateway. It israrely necessary to allow users to receive programs via email. There isso little to lose, and so much to gain, simply by blocking all mailed-inprograms, regardless of whether they contain viruses or not.
3. Deploy updated versions of Outlook, Explorer and Outlook Express onall computers. W32/Bugbear-A exploits two vulnerabilities for whichpatches have been available for over a year. If procedures for applyingpatches for security vulnerabilities are not currently in place,implement them now.
4. Encourage users to act as good custodians of their computers.Technologies such as mail filtering, firewalling and anti-virus are not'fit-and-forget' solutions. They do not absolve users from the need toact responsibly, especially when dealing with unexpected emailscontaining attachments.
Sophos advises keeping your anti-virus software fully up to date andpractising safe computing to prevent infection by viruses.
Full details of Sophos's safe computing guidelines can be found at:http://www.sophos.com/safecomputing
Protection against this worm (W32/Bugbear-A) is available from theSophos Anti-Virus website:
Sophos's Safe Hex guidelines can be found at:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.