Symantec Security Response: W32.Bugbear.B@mm - Level 4 - Severe
W32.Bugbear.B@mm is a variant of W32.Bugbear@mm (originally discovered and named in the Sydney Symantec Security
Response Centre in October 2002) and appears to be spreading quickly.
W32.Bugbear.B@mm can be categorised as a blended threat. It is a mass-mailing worm and can also spread through network
shares. The worm is polymorphic and also infects a select list of executable files. It includes a Trojan that attempts
to disable antivirus and firewall software so it can then attempt to steal the user's passwords and credit card details.
It installs a keylogger on compromised systems to capture the user's key strokes which could expose usernames and
passwords or other confidential information. It attempts to replicate to network printers when looking for network
drives to infect. This can cause strange print outs from printers.
The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched
systems to auto-execute the worm when reading or previewing an infected message. For further information visit: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp
Symantec Security Response has rated W32.Bugbear.B@mm a level 4 worm, on a scale of 1-5, with five being the most
serious. To date Symantec has received a total of 800 submissions worldwide, with 60% of submissions in EMEA, and 28% of
submissions in the Americas. APAC has been infected with 3% of the total submissions worldwide.
Symantec Security Response strongly encourages users to download the latest virus definitions via LiveUpdate or from the
Symantec Security Website - http://securityresponse.symantec.com/avcenter/defs.download.html
The worm mass mails itself to e-mail addresses found on the system. It searches for e-mail addresses in the current
inbox and in files that have these extensions.
.mmf
.nch
.mbx
.eml
.tbb
.dbx
.ocs
The worm can reply or forward an existing message or create a new message with one of the following subject line:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!
RECOMMENDATIONS
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best
practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not
critical, such as an FTP server, telnet, and a Web server.
These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have
fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is
applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through
the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This
helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread
viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and
restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is
downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause
infection if certain browser vulnerabilities are not patched.
For additional information, refer to the Response write up located at