Bugbear e-mail Worm Spreading at an Alarming Rate; F-Secure Raises Alert to Highest Level, as Bugbear Becomes The Most Widespread Virus Currently in Circulation.Business/Technology Editors HELSINKI, Finland--(BUSINESS WIRE)--Oct. 2, 2002 The Bugbear e-mail worm (also known as Tanatos), first seen on Monday, September 30, has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Bugbear is a Windows mass mailer The term mass mailer can refer to those computer worms that spread themselves via e-mail. More generally, the term is synonymous to (possibly legitimate) bulk email software. , spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers. The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor See trapdoor. , allowing the hacker to steal and delete information from affected computers. VIRUS OPERATION The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. "Forwarding old e-mails is actually a social engineering trick," comments Mikko Hypponen, manager of anti-virus research at F-Secure. "When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment See e-mail attachment. just to figure out what the strange e-mail is all about - thereby becoming infected." Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system, the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender, thus making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem. Once one machine gets infected via e-mail, the worm spreads effectively within corporate LANs. It will enumerate To count or list one by one. For example, an enumerated data type defines a list of all possible values for a variable, and no other value can then be placed into it. See device enumeration and ENUM. all network shares and try to copy itself to them. On Windows machines with hard drives shared for several users, the worm attempts to copy itself to the Startup folder A Windows folder that contains pointers to applications (shortcuts) that are launched when Windows is started. See Win Startup folder. , activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code binary code Code used in digital computers, based on a binary number system in which there are only two possible states, off and on, usually symbolized by 0 and 1. Whereas in a decimal system, which employs 10 digits, each digit position represents a power of 10 (100, 1,000, of the worm, resulting in dozens or hundreds of pages of garbage. The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most of the popular antivirus and personal firewall products, including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect the current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes, and up-to-date anti-virus programs will prevent it from executing. "As this worm is already widespread, there must now be thousands and thousands of computers in the Internet without any antivirus or firewall protection, because Bugbear has removed them," commented Hypponen. The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. . The worm will show a web user interface through which the attacker can browse local files or execute programs. "We haven't seen such an advanced backdoor in a worm before," said Hypponen. "Fortunately, it is not easy for script kiddies to enable this functionality. "It was such a nice and quiet year virus-wise, up until the middle of September," continued Hypponen. "After that we have had many large outbreaks, including the Slapper and Devnull Linux worms, and the Opaserv and Bugbear Windows worms." The year 2001 is generally considered to have been the worst virus year ever. "During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, I am afraid Bugbear will still be widespread in 2003," Hypponen said. A detailed technical description of the worm as well as screenshots are available in the Global Bugbear Information Center at http://www.F-Secure.com/bugbear/ . F-Secure Anti-Virus 5.40 can detect, stop and disinfect To remove the virus code that has attached itself to a legitimate file. Sometimes, the antivirus program cannot untangle the code, and the infected file has to be deleted. See quarantine. the Bugbear worm, even if the system is already infected with the worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com About F-Secure Corporation F-Secure Corporation is a leading provider of centrally managed security for today's mobile, wireless enterprise. The company offers a full range of award-winning, integrated anti-virus, file encryption, distributed firewall and VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. solutions for workstations, servers, gateways and mobile devices. F-Secure products are uniquely suited for delivery of Security as a Service, which provides invisible, reliable, always-on, and up-to-date security for the most widely distributed Adj. 1. widely distributed - growing or occurring in many parts of the world; "a cosmopolitan herb"; "cosmopolitan in distribution" cosmopolitan bionomics, environmental science, ecology - the branch of biology concerned with the relations between organisms user base. Whether provided by corporate IT or delivered by service providers, F-Secure solutions extend policy-based security and instant alerts to all devices where information is created, stored or accessed. Founded in 1988, F-Secure Corporation is listed on the Helsinki Exchanges Helsinki Exchanges (HEX) The Helsinki Exchanges (HEX Ltd., Helsinki Securities and Derivatives Exchange and Clearing House) was formed at the beginning of 1998 following the merger of the Helsinki Stock Exchange Ltd. and SOM Ltd. (HEX: FSC FSC See: Foreign Sales Corporation ). The company is headquartered in Helsinki, Finland with North American North American named after North America. North American blastomycosis see North American blastomycosis. North American cattle tick see boophilusannulatus. head office in San Jose, California San Jose (IPA: /ˌsænhoʊˈzeɪ/) is the third-largest city in California, and the tenth-largest in the United States. It is the county seat of Santa Clara County. , as well as offices worldwide. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion