Latest news
Bugbear Worm Spreading at an Alarming Rate
Posted on 02.10.2002
F-Secure raising alert to highest level as Bugbear becoming the most widespread virus currently in circulation
Helsinki, Finland, October 2, 2002 - The Bugbear e-mail worm (also known as Tanatos) was first seen on Monday, September 30. Since then it has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Klez was the most common virus for almost all of 2002.
Bugbear is a Windows mass mailer, spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers.
The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor, allowing the hacker to steal and delete information from affected computers.
VIRUS OPERATION
The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. "Forwarding old e-mails is actually a social engineering trick," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment just to figure out what the strange e-mail is all about - thereby becoming infected."
Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem.
The worm spreads effectively within corporate LANs once one machine gets infected via e-mail. The worm will enumerate all network shares and try to copy itself to them. On Windows machines with hard drives shared for several users, the worm attempts to copy itself to the Startup folder, activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code of the worm - resulting in dozens or hundreds of pages of garbage.
The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most of the popular antivirus and personal firewall products - including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect the current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes in the first place - and up-to-date anti-virus programs will prevent it from executing. "As this worm is already widespread, there must now be thousands and thousands of computers in the Internet without any antivirus or firewall protection, because Bugbear has removed them," comments Hypponen.
The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser. The worm will show a web user interface through which the attacker can browse local files or execute programs. "We haven't seen such an advanced backdoor in a worm before," says Mikko Hypponen. "Fortunately, it is not easy for script kiddies to enable this functionality."
"It was such a nice and quiet year virus-wise - up until the middle of September," continues Hypponen. "After that we have had many large outbreaks, including the Slapper and Devnull Linux worms, and the Opaserv and Bugbear Windows worms."
The year 2001 is generally considered to have been the worst virus year ever. "During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, I am afraid Bugbear will still be widespread in 2003," finishes Mikko Hypponen from F-Secure Corporation.
A detailed technical description of the worm as well as screenshots are available in the Global Bugbear Information Center at
http://www.F-Secure.com/bugbear/.
F-Secure Anti-Virus 5.40 can detect, stop and disinfect the Bugbear worm, even if the system is already infected with the worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
Helsinki, Finland, October 2, 2002 - The Bugbear e-mail worm (also known as Tanatos) was first seen on Monday, September 30. Since then it has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Klez was the most common virus for almost all of 2002.
Bugbear is a Windows mass mailer, spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers.
The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor, allowing the hacker to steal and delete information from affected computers.
VIRUS OPERATION
The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. "Forwarding old e-mails is actually a social engineering trick," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment just to figure out what the strange e-mail is all about - thereby becoming infected."
Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem.
The worm spreads effectively within corporate LANs once one machine gets infected via e-mail. The worm will enumerate all network shares and try to copy itself to them. On Windows machines with hard drives shared for several users, the worm attempts to copy itself to the Startup folder, activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code of the worm - resulting in dozens or hundreds of pages of garbage.
The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most of the popular antivirus and personal firewall products - including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect the current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes in the first place - and up-to-date anti-virus programs will prevent it from executing. "As this worm is already widespread, there must now be thousands and thousands of computers in the Internet without any antivirus or firewall protection, because Bugbear has removed them," comments Hypponen.
The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser. The worm will show a web user interface through which the attacker can browse local files or execute programs. "We haven't seen such an advanced backdoor in a worm before," says Mikko Hypponen. "Fortunately, it is not easy for script kiddies to enable this functionality."
"It was such a nice and quiet year virus-wise - up until the middle of September," continues Hypponen. "After that we have had many large outbreaks, including the Slapper and Devnull Linux worms, and the Opaserv and Bugbear Windows worms."
The year 2001 is generally considered to have been the worst virus year ever. "During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, I am afraid Bugbear will still be widespread in 2003," finishes Mikko Hypponen from F-Secure Corporation.
A detailed technical description of the worm as well as screenshots are available in the Global Bugbear Information Center at
http://www.F-Secure.com/bugbear/.
F-Secure Anti-Virus 5.40 can detect, stop and disinfect the Bugbear worm, even if the system is already infected with the worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
