@~I thought you might all appreciate some info about the Bugbear @~virus which has infected a large number of UK computers. This @~is from the F-Secure site but any good virus software including @~McAfee and Norton will also detect and remove it as long as @~your version is up to date. Bugbear Worm Information - as of 10th October 2002 Taken from the F-Secure site The Bugbear e-mail worm (also known as Tanatos) was first seen on Monday, September 30. Since then it has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Klez has been the most common virus for almost all of 2002. Bugbear is a Windows mass mailer, spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers. The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor, allowing the hacker to steal and delete information from affected computers. FORGED SENDER ADDRESSES The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. In addition, the worm gathers e-mail addresses from the infected computer's hard drive and uses them to forge the sender (the "From:" line) of the e-mail. So, the recipients of email with Bugbear-infected attachments seem to get it from someone who was not the actual sender (and is not the real Bugbear victim). Annoying thing on Bugbear is that it tries defame the good name and reputation of the apparent sender, who actually isn't involved. In many cases the apparent sender is accused of spreading a virus around, which makes him waste hours looking for a virus which has never been on his computer in the first place. In some cases, Bugbear generates new e-mail addresses by combining old addresses. For example, addresses jack@company.com and jill@firm.net could be combined by the worm, and the virus will then forge the "From:" address to appear as jack@firm.net or jill@company.com - which are non- existent addresses. It is important to remember that this is not an indication that either of these organisations are necessarily affected with the Bugbear virus. Unfortunately, there's no easy way to figure out from Bugbear- sent messages who the actual sender is. Do note that Bugbear is not the only worm to forge the sender of infected e-mails. Most notably, the widespread Klez worm does this too. VIRUS OPERATION The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. Forwarding old e-mails is actually a social engineering trick - When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment just to figure out what the strange e-mail is all about - thereby becoming infected. Example of one e-mail sent by Bugbear Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem. The worm spreads effectively within corporate LANs once one machine gets infected via e-mail. The worm will enumerate all network shares and will try to copy itself to them. On Windows machines that have their hard drive shared for other users, the worm attempts to copy itself to the Startup folder, activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code of the worm - resulting in dozens or hundreds of pages of garbage. Infected users can be located by administrators by checking which users has started such print jobs. The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most popular antivirus and personal firewall products - including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes in the first place - and up-to-date anti-virus programs will prevent it from executing. As this worm is already widespread, there must be thousands of computers in the Internet without any antivirus or firewall protection - because Bugbear has removed them. The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser. The worm will show a web user interface through which the attacker can browse local files or execute programs. The year 2001 is generally considered to have been the worst virus year ever. During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, it may still be widespread in 2003. F-Secure Anti-Virus 5.40 can detect, stop and disinfect the Bugbear worm, even if the system is already infected with the worm. The full removal Instructions are available from our support site. CONTACT Support Anti-Virus e-mail: Anti-Virus-Support@F-Secure.com - o -