Watch Out for the BugBear

This looks like a NASTY new virus.  I know of one person who got it posing as an Amazon mail.  The attachment comes in as an SCR, EXE or PIF file (all of which qualify as executable) and what it does is open holes in your firewall to allow someone to remote control your PC at a future point.  Apparently there are over 1,000 infections to date.

W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22.

Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure]
Type: Worm
Infection Length: 50,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154

Symantec's Warning

Apparently there is a hole in Internet Explorer's iFrame feature which may let it self launch if you are running Outlook's Preview Pane so be careful (as a general rule of thumb, you always want to have the Preview Pane turned off and use AutoPreview instead).

This is yet another reason to go with hardware firewalls to protect your cable modem as opposed to software products like ZoneAlarm.  It's a lot harder for a virus or worm to reach across to a hardware device and screw it up (but it's not impossible).  I use the excellent LinkSys BEFSR41 Broadband Cable / DSL Router.

Or, of course, you could always just get a Mac.  Looking better and better.

6:53:07 AM      Google It!   comment []    IM Me About This