RE: Possible new Bugbear

From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 02/05/04

  • Next message: David LeBlanc: "RE: new IIS exploit?"
    To: <incidents@securityfocus.com>
    Date: Wed, 4 Feb 2004 21:34:42 -0500
    
    

    It's a very typical Bugbear message. Bugbear does not use a fixed set of
    messages. It often takes portions of email found on the infected computer
    and uses them as the delivery message. It also grabs sender and recipient
    addresses from the same pile of email and takes the attachment name from
    files on the infected computer. It often matches subjects and senders or
    recipients, so sometimes its delivery appears to be a perfectly legitimate
    message.

    It is old, but still very much in circulation.

    Since this was Bugbear.b.dam it was damaged and incapable of executing as
    Bugbear.b.

    But virus detection is generally "first and out", so detection of Bugbear
    does not preclude additional infections within the file. And executing a
    viral file can in some cases cause actions on the computer even if
    anti-virus detects an infection after execution. In other words, the test
    machine _might_ now be infected with something else that is not yet detected
    by your anti-virus. Probably not, but maybe.

    Saving the attachment to a file is usually the only action required to get a
    virus scan. You can usually force a manual scan of the saved file, too, so
    you can see the scan run.

    If you want to fully analyze a strange attachment to learn exactly what it
    is and discover any secondary infections that might exist in it, that is a
    whole skill in itself. If not, it is best to not run (open) it at all.

    Bugbear seems to pick a "favorite" attachment name from the infected
    computer. You may receive more Bugbear messages with completely different
    contents but with the same attachment name if they come from the same
    source.

    > -----Original Message-----
    > From: Joe Miller [mailto:joseph-p-miller@cox.net]
    > Sent: Wednesday, February 04, 2004 12:52
    > To: Joe Miller; incidents@securityfocus.com;
    > aztechlist@yahoogroups.com; kmiller210@cox.net;
    > bruce.burton@shawgrp.com; joe.miller@shawgrp.com
    > Subject: Re: Possible new Bugbear
    >
    > Sorry folks, it's not a new variant but it appears as though
    > it is a new attempt at spreading this ancient worm.
    >
    >
    > ============================================================
    > From: Joe Miller <joseph-p-miller@cox.net>
    > Date: 2004/02/04 Wed PM 12:34:10 EST
    > To: incidents@securityfocus.com, aztechlist@yahoogroups.com,
    > kmiller210@cox.net, bruce.burton@shawgrp.com, joe.miller@shawgrp.com
    > Subject: Possible new Bugbear
    >
    > All,
    > Please be aware of emails with this Subject and message:
    >
    > From: "Southwest Airlines"
    > Subject: Ticketless Travel Passenger Itinerary
    >
    > ************ !!! IMPORTANT NOTICE !!! ************
    > ** BRING A COPY OF THIS ITINERARY WITH YOU TO **
    > ** THE AIRPORT FOR FLIGHT CHECKIN.
    >
    > Download Attachment: addresses.xls.exe
    >
    >
    > I received this email that I thought was in error from
    > Southwest Airlines.
    >
    > I've never heard of BugBear coming from spoofed airlines or
    > COX (@cox.com) email addresses so please bare with me:
    > It was a flight itinerary so I clicked Reply to inform them
    > that I was th wrong person and noticed something strange
    > about the reply address "Southwest
    > Airlines"(no-reply@updates.cox.com) <AND> there was an
    > attachment with two file extensions called
    > addresses.xls[1].exe Knowing that it was a virus I opened it
    > with a PC that I could take off the network if it was MiMail,
    > Bugbear or any other worm. McAfee detected it as
    > W32/Bugbear.b.dam and was not able to clean, delete nor move the file.
    >
    > Is this a new variant of Bugbear?
    >
    > Good day,
    > Joe Miller
    > ============================================================
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: David LeBlanc: "RE: new IIS exploit?"