False
| Bugbear Virus Hits Middletown |
| Wednesday, May 7, 2003 12:34:32 PM - Middletown Ohio |
|
by Robert Vamosi and John Beagle
Bugbear (also known as Tanatos) may not be the most original worm out there; it appears to be a variation of last year‘s Badtrans worm. But it‘s currently the fastest spreading computer virus on the Internet. And it is infecting computers in Middletown, Ohio.
"Hardly a day goes by that there isn‘t a customer calling about a virus on their system!" says Andy Wendt, VP of Operations for ComputerServiceNow.com, a local computer company in Middletown.
After months with no major virus outbreaks, antivirus companies said we should be on the lookout for a complex virus like Nimda. But instead, along came Bugbear, a rather ordinary piece of malicious Windows code that bolted to the top of the charts in a matter of days. How did get so far so fast?
First of all, Bugbear is sneaky. Infected e-mails have spam-like subject lines, such as "Get 8 free issues--no risk" and "My eBay ads," to help them blend in with the other junk e-mail in your inbox. And like the Sircam worm, Bugbear spoofs its return addresses so you can‘t reliably say who sent the infected message.
The e-mail‘s attached file also uses a spoofed file extension to trick users into thinking it‘s one type of file when it might be another. So, for example, if an attached file says it‘s a .jpg, it might really be an .exe.
Even if don‘t open the attached file, Bugbear exploits a known vulnerability in Microsoft‘s Internet Explorer to infect your computer. Because Outlook uses Internet Explorer to render HTML mail, just previewing the message in Outlook is enough to contaminate a PC. Users of IE 6.0 are not vulnerable to Bugbear. For users of IE 5.01 and 5.5, Microsoft released a patch, MS01-020, 18 months ago. Nimda exploited this same vulnerability almost one year ago.
Second, Bugbear spreads quickly. All it needs is one vulnerable system to gain a foothold on a network. Once it infects the vulnerable system, it can spread to other computers--and even printers--via open NETBIOS file shares on port 137. Since users frequently share files over networked systems, the worm can infiltrate very fast. If Bugbear tries to spread to a shared network printer, it causes the printer to spew gibberish, such as one line printed on dozens of sheets of paper. Last year‘s Nimda affected printers, too.
Third, Bugbear is hard to fight. Once the infection spreads across a network, it‘s impossible for IT staffs to isolate it until all traces of the virus are removed from the network. Several IT departments have reported battling multiple Bugbear infections--containing the virus on the fifth floor, while it runs amok on the fourth floor, or in a satellite office.
And fourth, like the Klez virus that surfaced earlier this year, Bugbear turns off nearly all major desktop firewall and antivirus programs. If you aren‘t sure whether you‘ve been infected by Bugbear, check and see if your antivirus and firewall protection still works.
The most dangerous aspect of Bugbear is that it includes a Trojan horse that logs your keystrokes. This means it‘s possible that the virus author, listening on TCP port 36794, could capture from your infected PC everything you type on your keyboard, including your credit card numbers or your passwords. The Trojan horse also allows a malicious user to remotely access infected systems, adding or deleting files without your permission. In addition, a malicious user could enlist all the infected desktops worldwide to participate in a coordinated distributed denial-of-service attack (DDoS). So far, however, there‘s no evidence this has been performed successfully.
While some reports say the Bugbear originated in Malaysia, Malaysian authorities have had no luck finding the culprit. That could be because the author is somewhere else, like Singapore or Korea. Malicious users are good at obscuring their locations and identities. I wouldn‘t be surprised if the author is in a different part of Asia, or even in the Western hemisphere.
If you‘ve been infected by Bugbear, contact CSN1.com for help. You may reach CSN1‘s Middletown office by calling 422-1907.
|
| |
|
