VIRUS ALERT: Bugbear on the loose

Posted on 1 Oct 2002 at 16:00

Nothing cuddly about this one

UK security experts Integralis have warned that IE5 users are prey to a worm. Discovered yesterday and orginating in Asia, Donal Casey of Integralis tells us that now, just one and a half days later, the Bugbear worm accounts for 10 per cent of new infections reported and that, as the US wakes to an inbox full of infection, that figure is set to rise. And fast.

At first W32/Bugbear-A was thought to be a self-executing worm that sends itself on to addresses in the victim's Windows address book. It has its own SMTP engine to do this. It also disables more than 115 firewall and antivirus programs and will run itself each time a user reboots.

However, it has now been discovered that it also contains a Trojan component. Essentially, this is a spy that the virus drops off when it infects the machine and then notifies the hacker when the victim is next online (and therefore accessible). The Web mail account to which the Trojan is communicating, says Casey, will have been closed down by now. The problem, he says, is that the port number on victims' machines that the Trojan is using has been published so that potential targets can close it off. However, this means that any other malicious hacker knows that this same port is open on infected machines, and thus presents an open door.

There are nearly 30 per cent of users of this site browsing with IE5, and about 20 per cent worldwide. IE5 users can patch their browser from the Microsoft Web site (Bulletin ms01-020). Although the patch was issued last year users should check they have the patch.

The worm arrives as an email with an attachment of 50,664 bytes, a random subject line but no body text.

Should you find yourself infected (and you should notice that any firewalls or antivirus software has been disabled), we have instructions from Donal Casey below for removal. This applies even if you patched after infection.

'The worm creates several files on the infected users system and each of these files has a random name. Due to this, the removal becomes tricky and should only be performed by a competent computer user.

'The files dropped onto the infected machine are:

\windows\system32\****.exe (\windows\system\ for win9x machines) (4 characters)
\windows\******.DAT (6 characters)
\windows\systems\******.dll (\windows\system\ for win9x machines) (6 characters)
\windows\systems\*******.dll (\windows\system\ for win9x machines) (7 characters) (2 instances)
The startup folder files are: C:\Documents and Settings\(username)\Start Menu\Programs\Startup\***.EXE (Win2k/XP) (3 characters)
C:\WINDOWS\Start Menu\Programs\Startup\***.EXE (Win9x) (3 characters)
There is also a registry entry created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
"%random letters%" = ****.EXE (Win9x)

'To clean the system, first remove the registry entry and any suspicious
startup entries. This will allow the machine to be restarted and have the
AV and firewall in full working order.

'The AV tools should then be updated as per the vendors instructions and a full scan performed on the system with infected files being removed.

'If AV tools are not available, an online scanner should be used.'

Author: Matt Whipp