PSA about this Bugbear thing

Paul B. Gallagher paulbg at PBG-TRANSLATIONS.COM
Thu Oct 10 22:00:37 UTC 2002 

Dear friends,

Some of you may be more aware than others of the latest nasty little
worm circulating around the Internet, which goes under various names
according to the antivirus software vendor:

        AVP:            I-Worm.Tanatos
        CA:             Win32.Bugbear
        F-Secure:       Tanatos
        McAfee:         W32/Bugbear at MM
        Norton:         W32.Bugbear at mm
        Panda:          W32/Bugbear
        Sophos:         W32/Bugbear-A
        Trend:          WORM_BUGBEAR.A

Systems Affected:       Windows 95, Windows 98
                        Windows Me
                        Windows NT, Windows 2000
                        Windows XP

Systems Not Affected:   Macintosh, Unix, Linux

There are several aspects of this worm that make it especially
worrisome:

1. If it succeeds in infecting your machine, it has a piece that keeps
turning off your antivirus software even if you reactivate it (it
checks at 30-second intervals).

2. It creates and mails out messages containing pieces of real email
messages on your computer. If you have any email messages containing
confidential or embarrassing information, this thing will send it to
people in your address book. I can tell you for certain that this
works, because today I received part of a confidential message between
two SEELANGS subscribers with whom I have never corresponded.

3. It has a piece that allows a hacker to take control of your computer
and make unauthorized changes.

For more details and recommendations, visit your AV vendor's site.
Here are a few of the popular ones. Most have information in other
languages if you poke around:

AVP             <http://www.viruslist.com/eng/viruslist.html?id=52245> (description only)
                <http://www.avp.ru/download.html> (solutions)

CA:             <http://www3.ca.com/virusinfo/virus.asp?id=13233>
                (downloads and removal instructions at bottom)

F-Secure:       <https://www.europe.f-secure.com/v-descs/tanatos.shtml>

McAfee          <http://www.mcafee.com/anti-virus/viruses/bugbear/>

Norton          <http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html>

Panda:          <http://www.pandasecurity.com/Disinfect.asp?ID=37>

Sophos:         <http://www.sophos.com/virusinfo/analyses/w32bugbeara.html> (description)
                <http://www.sophos.com/support/disinfection/bugbear.html> (instructions)

Trend:          <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR.A>

Please note (quoting from the Sophos site; most of the vendors' sites
contain similar language):

The worm attempts to exploit a MIME and an IFRAME vulnerability in some
versions of Microsoft Outlook, Microsoft Outlook Express, and Internet
Explorer. These vulnerabilities allow an executable attachment to run
automatically, even if you do not double-click on the attachment.
Microsoft has issued a patch which secures against these attacks. The
patch can be downloaded from Microsoft Security Bulletin MS01-027.
(This patch was released to fix a number of vulnerabilities in
Microsoft's software, including the ones exploited by this worm.

[link to MS01-27: <http://www.microsoft.com/technet/security/bulletin/MS01-027.asp>]

Let's be careful out there!

--
War is hell. Bush wants to go to war. Fine. Let him go to hell.
--
Paul B. Gallagher
pbg translations, inc.
"Russian Translations That Read Like Originals"
http://pbg-translations.com

-------------------------------------------------------------------------
 Use your web browser to search the archives, control your subscription
  options, and more.  Visit and bookmark the SEELANGS Web Interface at:
                  http://home.attbi.com/~lists/seelangs/
-------------------------------------------------------------------------

More information about the SEELANG mailing list