Posted on 2-10-2002
Virus
Alert - Bugbear
There are two brand-new email carried viruses around as of last
48 hrs: If
you don't want to read their details, please jump straight to
Comments below.
W32.Bugbear@mm
==============
Due to an increased rate of submissions, Symantec Security Response
has
upgraded this threat from a Category 2 to a Category 3 as of
September 30,
2002.
W32.Bugbear@mm
is a mass-mailing worm. It can also spread through Network
shares. It has backdoor capabilities. The worm will also attempt
to
terminate the processes of various antivirus and firewall programs.
It is written in Microsoft Visual C/C++ programming language
and compressed
with UPX.
Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend],
Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos
[AVP],
W32/Bugbear [Panda], Tanatos [F-Secure]
Type: Worm
Infection Length: 50,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows
2000, Windows
XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154
Which takes bits of your outgoing emails and sends them to your
mailist
plus spoofs the Reply email address to make it appear that some-one
else sent it - when infact it is coming from you if you are
infected.
W32.Opaserv.Worm
================
Due to an increased rate of submissions, Symantec Security Response
has
upgraded this threat from a Category 2 to a Category 3 as of
September 30,
2002.
W32.Opaserv.Worm is a network-aware worm which attempts to replicate
across
open network shares. It will copy itself to the file "scrsvr.exe"
on the
remote machine. This worm also attempts to download updates
from
www.opasoft.com,
although the site may have already been shut down.
Indicators of infection include:
* The existence of scrsin.dat and scrsout.dat in the root directory
of
the c: drive indicating a local infection (worm was executed
on the local
machine)
* The existence of tmp.ini in the root directory of the c: drive
indicating a remote infection (infected by a remote host)
* HKLM\Software\Microsoft\Windows\Current Version\Run contains
a string
value named ScrSvr or ScrSvrOld which is set to "c:\tmp.ini"
Also Known As: W95/Scrup.worm [McAfee]
Type: Worm
Infection Length: 28,672 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows
2000, Windows
XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh,
Unix, Linux
Comment
=======
You will note that only Microsoft operating system are affected
and of
special risk is Outlook Express when it is set to automatically
execute
attachments (like pictures).
Your Outlook Express email programme may stop working due to
virus
infection, until you can get rid of virus.
Recommendations
===============
Immediate:
Use webmail if you are at all suspicious you have either virus,
that will
stop you sending out more viruses to people. Turn off the execution
of
encapsulated scripts in Outlook Express.
DO NOT Click on an attachment that you are not 100% sure you
know what it
is and that you have been expecting it, not just today, not
ever.
AK users http://pl.net/email
Out of AK users http://webmail.bopis.co.nz
Medium term:
Get an antivirus programme installed and/or update today from
the
anti-virus download updates of your programmes home-page.
Longer term:
Avoid Outlook Express email programme, swap to Pegasus or Eudora
or ...
almost any other email programme.
Anti-virus measures, including ISP's, fail to stop the first
wave of a new
virus, something that is not unexpected as the first wave hits
before
adaptation to it can happen. The only real protection against
viruses is
self-protection, as per above.
|