Bugbear Windows Virus Making the Rounds

lysurgon writes "CNN.com is reporting that the "BugBear" virus (Windows/Outlook only) is spreading quickly. Unlike ILovYou-type viri, instead of deleting files or just propagating itself, this animal disables firewall software and opens a port to receive remote commands. The article doesn't draw this conclusion, but this effectively sets up slave machines for DDoS uses. Also worth noting is the puzzlement of anti-virus guys as to why they haven't been able to make the virus spread in the lab. "One of the theories is that this requires an Internet connection in order to spread." Gee, you don't say?"

Removal tool

Get it here

There's a patch since March 2001

[swissmonkey]

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-020.asp

Blame the admin

Re:There's a patch since March 2001

[Inthewire]

If you're an idiot, yeah.
Slashcode inserts a space into long strings - this helps prevent page-widening posts. Notice the space in the URL? That needs to be removed in order for the link address to be properly resolved. True, the asshat who posted it could have taken an extra few seconds and made a clickable link, but the fault is not really his and it isn't really Microsoft's. It is the result of abusive (Klerck, I'm looking at you) or ignorant users. If people would refrain from posting long unbroken strings this particular mess could be avoided.
Such is life.
Have a Coke and a smile.

Re:There's a patch since March 2001

[taernim]

404 -- file not found. Gee, that's a handy patch. I think you meant this.

My client caught it, Strange symptoms

[reezle]

2 workstations at a client of mine caught this bug. The AV system kicked in shortly thereafter, and stopped the spread. (I had to manually clean the machines, though)
Strange symptoms appeared just before we knew there was a virus: All of the printers in the network started printing garbage. I had to reload the print drivers from CD for all the server's printers to stop the effect.

Anyone else seen the virus in a network? Anyone else seen similar print symptoms?

Re:My client caught it, Strange symptoms

[b0r1s]

We've trapped a few in the email system (prior to infection), but I've been noticing a lot of port 137 activity that I believe is tied to the virus. The main difference between legitimate traffic and the viral traffic is the lack of a broadcast bit (real ms network traffic will be sent broadcast, the virus sends machine to machine), and a source port of 1024-1030 rather than 137.

The junk from the printer is probably due to the random network traffic it sends out.

Some stats for people who like numbers:

1944 viruses ( 18 different strains ) found since Sat, 31 Aug 2002

Virus: W32/Klez-H found 1603 times (82 %)
Virus: W32/Yaha-E found 166 times (8 %)
Virus: W32/Sircam-A found 93 times (4 %)
Virus: W32/Bugbear-A found 23 times (1 %)
Virus: W32/Magistr-B found 20 times (1 %)
Virus: W32/Nimda-D found 7 times ( Virus: W95/CIH-10xx found 5 times ( Virus: W32/Yaha-D found 5 times ( Virus: W32/Klez-E found 5 times ( Virus: W32/Nimda-A found 4 times ( Virus: W32/Hybris-B found 4 times ( Virus: VBS/Redlof-A found 2 times ( Virus: W32/Cervivec-A found 1 times ( Virus: W32/Hybris-C found 1 times ( Virus: W32/Weird-10240 found 1 times ( Virus: W32/Klez-Fam found 1 times ( Virus: WM97/Marker-Fam found 1 times ( Virus: W32/Magistr-A found 1 times (

Re:My client caught it, Strange symptoms

[Theatetus]

We had one get into our network. It didn't disable NAV on the machine and it was pretty easy to remove (just clear out the "Startup" folder in %root_drive%:\Documents and Settings\%username%\Start Menu\Programs, reboot and backup to a known-good registry. You keep a known-good registry backup, right?... If not, delete any keys in HKLM->Software->Microsoft->Windows->RunOnce)

Also, run Task Manager and kill-9 (or whatever the Windows equivalent is) any random 3- or 4-letter processes after you've cleared the Run Once keys and Startup folder.

I think the executable is printing its own binary when it tries to infect a printer.

As always, patched machines should do OK; the one that got through only did because it was still running IE 5 without any updates. YMMV.

Re:My client caught it, Strange symptoms

[tubabeat]

Accoring to the analysis by Sophos

Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages.

Judging from the questions I've had over the past two days (from users, about incoming emails which have been 'disinfected') its also worth noting...

the worm can spoof the From and Reply To fields in the emails it sends. [Like Klez & YaHa do]

We use MailScanner along with a Sophos engine to filter our incoming mail - and we've caught dozens of this worm in the last two days. Remembering the trouble from Nimda last year I'd recommend MailScanner to everyone, its free & can be used with a variety of engines. [I'm not associated wuth the MailScanner project BTW]

Re:My client caught it, Strange symptoms

[ninthwave]

From what I have read on the virus it does more than the cnn article goes into quotes from the symantec faq on the virus. We have two machines isolated at work now that I have to check on Monday for this. Off network and turned off waiting for me to get through my weekend. It is a pretty interesting read on what it does. It seems to be a klez variant with some extra functionality. So like klez it trys to disable antivirus software and it has added more processes to kill read symantec read on it. Though I believe sometimes symantec overstates virus threats, this one seems to do a lot in a little package.

The keyboard logging and the open port 80 makes it very interesting to see if it is waiting for a cracker to come along or if it is waiting for other payload from another infected machine or from a variant.

http://securityresponse.symantec.com/avcenter/ve nc /data/w32.bugbear@mm.html

"Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22."

"The third thread that the worm creates is a backdoor routine. It opens port 36794 and listens for commands from the hacker. The commands permit the worm to perform the following actions:

Delete files.
Terminate processes.
List processes and deliver the list to the hacker.
Copy files.
Start processes.
List files and deliver the list to the hacker.
Deliver intercepted keystrokes to the hacker (in an encrypted form). This may release confidential information that typed on a computer (passwords, login details, and so on).
Deliver the system information to the hacker in the following form:

User:
Processor:
Windows version:
Memory information:
Local drives, their types (e.g., fixed/removable/RAM disk/CD-ROM/remote), and their physical characteristics

List network resourses and their types, and deliver the list to the hacker.

If the operating system is Windows 95/98/Me, the worm attempts to obtain access to the password cache on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others. This is done using an officially undocumented function-- WNetEnumCachedPasswords--that exists only in Windows95/98/Me versions of the Mpr.dll file.

One of the commands permits the Trojan component to deliver data using HTTP port 80. The results of the backdoor activity may be represented in the form of HTML pages. This gives a hacker a convienient way to browse the compromised computer resources.

The fourth worm thread replicates across the network. To do this, the worm lists all of the resources in the network. If it locates open administrator shares, it attempts to copy itself to the Startup folder of the remote computer. This leads to the infection of the compromised network computers as soon as they are restarted.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality."

Re:My client caught it, Strange symptoms

[bmajik]

haha

if you succeed in killing smss.exe, the machine goes away :)

similarly, if csrss.exe exits, smss.exe bluescreens the machine.

lsass is the local security agent subsystem server. (i always read this is "ls ass"

SMSS is the session management subsystem. it spawns Csrss.exe (Client Server Run Time SubSystem - the Win32 layer on top of NT)

If you have a suitably old smss.exe, it also spawns the OS/2 1.x layer or the POSIX layer. If you have Services for UNIX, there is a new posix.exe layer and psxrun.exe servers that you'll also see.

Re:My client caught it, Strange symptoms

[ananke]

According to sophos, this virus/worm/whatever_you_want_to_call_it tries to spread itself over the network shares, etc. One of the thing it does it tries to connect to printers, and all you get is the bugbear trying to print out itself :)

Anyway, kudos to sophos. I use their anti-virus with mailscanner on our linux e-mail server. We used the mailscanner's auto-update script, which we set to contact sophos once an hour, and download the latest IDE's for our scanner. This way, when on September 30'th I received e-mail alert from sophos about bugbear spreading like fire, I checked our server, and guess what - it already had the IDE files. Makes my life as a sys admin much easier :). As a side note, we didn't get any bugbear hits until October 4th.

I know that scanning e-mail attachements, etc, is not the total protection [we also use av software on each desktop], but it surely helps a lot. In addition to using sophos to scan our e-mail, we use it to scan all the shared samba drives, which reside on another box. Overall, i can sleep better.

ps) I think sophos also released some cleaning tool for bugbear.

Re:hah

[frodo+from+middle+ea]

The last time i tried one of those BIG-NAME ntivirus soultions. (name withheld in fear of a defamation suit), It completely crashed my OS, my Hard Disk and my motherboard. If you want a much cleaner solution try a free Anti-virus from grisoft. Or better still use linux like i do :-) -- using linux with root account is more dangerous than using windows. don't believe me . just do "rm -rf /"

Re:Virus that disables anti-virus software?

[br0ck]

Klez did this as well. Also, Melissa turned off Word's security protection.

Re:What's the plural of virus?

[iabervon]

There are a number of bits of that page that make it clear that the author doesn't actually know Latin.

And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative.

Except that viri (from vir, mentioned just above) uses the same thing for the genitive singular and nominative plural, as do all regular 2nd declension masculine nouns that don't end in -ius. For that matter, spoken English doesn't normally distinguish the singular possessive from the nominative plural (written uses an apostrophe, which doesn't affect pronunciation).

As far as how such a noun should work in the plural, there's a perfectly good example: cetus (whale) has a perfectly normal plural ceti, following the masculine pattern despite being neuter, just like virus.

On the other hand, the plural of virus is not attested in any form. The logical conclusion of this fact is that virus is a word like "sheep" or "fish", which doesn't have a distinguished plural form. It makes more sense, anyway, because you're not generally dealing with individual copies; you're dealing with an infection as a whole.

Of course, if you really want a plural that's obviously a plural and refers to multiple different entities, use "worms".

Re:Because the patch has been out for ALMOST 2 YEA

[Tracy+Reed]

Unless you run SE Linux. SE Linux will prevent the Apache/OpenSSL/WU-FTPd/Sendmail exploits from working.

Re:Why is anyone running outlook anymore?

[txsable]

If Outlook and Outlook Express are so unrelated, why are you REQUIRED to have Outlook Express installed to run Outlook 2000?

Been there, tried this. There is NO way around having to have OE installed to run Outlook2K.

(The only reason I use any MS emailer is because my office uses it. I actually had to convince someone here that using OE to pop our one email account that is allowed to receive attachments was a Bad Idea, and finally got him to change to Eudora...)

Re:Funny

[GigsVT]

The OpenSSL exploit (and the slapper worm that used it) and the apache chunked exploit were all on the front page. Front page stories were run on Lion/Ramen/etc also.

You apparently don't read Slashdot enough if you think they don't cover Linux worms in some attempt to make Linux look more secure than it is.

Funny that pretty much any "bash slashdot" post can get modded up, even if it is completely (and provably) false.

http://apache.slashdot.org/apache/02/06/28/18123 1. shtml?tid=148
http://slashdot.org/article.pl?sid= 02/09/25/121024 7&mode=thread&tid=148
http://apache.slashdot.org/ article.pl?sid=02/09/13 /2315246&mode=thread&tid=172
http://developers.sl ashdot.org/article.pl?sid=02/0 7/30/1323226&mode=thread&tid=128

Re:Why is anyone running outlook anymore?

[GarryOwen]

Outlook 2k uses outlook express as the news client. It is possible to install outlook 2k with OE but its a bitch. but you can always uninstall OE after the outlook 2k install.

Irony? Or something sinister?

[Artifex]

I first heard about this virus in the last few days in the form of spam that came to my box, proclaiming that Bugbear was a new virus on the loose.

The fact that a spammer knows about this virus way before Slashdot indicates he's either very fast moving, or he may have some relationship with whoever created it. Unless, of course, Slashdot is just behind.

The port 137 probes are a different virus...

Those are from the W32.Opaserv.Worm. Read more about it here.