Security Response: W32.Bugbear.B@mm - SEVERE
Symantec Security Response: W32.Bugbear.B@mm - Level 4 - Severe
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm (originally discovered and named in the Sydney Symantec Security Response Centre in October 2002) and appears to be spreading quickly.
W32.Bugbear.B@mm can be categorised as a blended threat. It is a mass-mailing worm and can also spread through network shares. The worm is polymorphic and also infects a select list of executable files. It includes a Trojan that attempts to disable antivirus and firewall software so it can then attempt to steal the user's passwords and credit card details. It installs a keylogger on compromised systems to capture the user's key strokes which could expose usernames and passwords or other confidential information. It attempts to replicate to network printers when looking for network drives to infect. This can cause strange print outs from printers.
The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message. For further information visit: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp
Symantec Security Response has rated W32.Bugbear.B@mm a level 4 worm, on a scale of 1-5, with five being the most serious. To date Symantec has received a total of 800 submissions worldwide, with 60% of submissions in EMEA, and 28% of submissions in the Americas. APAC has been infected with 3% of the total submissions worldwide.
Symantec Security Response strongly encourages users to download the latest virus definitions via LiveUpdate or from the Symantec Security Website - http://securityresponse.symantec.com/avcenter/defs.download.html
The worm mass mails itself to e-mail addresses found on the system. It searches for e-mail addresses in the current inbox and in files that have these extensions.
The worm can reply or forward an existing message or create a new message with one of the following subject line:
Just a reminder
Correction of errors
I need help about script!!!
Get a FREE gift!
Lost & Found
click on this!
Market Update Report
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server.
These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
For additional information, refer to the Response write up located at