Slashdot Mirror


Yet Another Windows Worm

kraksmoka writes "MSNBC is reporting that yet another active worm is taking over computers in 115 countries today. 'Antivirus companies were on high alert Thursday after the rapid spread of a new computer worm that includes particularly malicious snooping techniques. Bugbear.B, a variant of a worm released last year, installs keylogging software, back-door software, and in some cases even attempts to control infected computersâ(TM) modems. Some of the wormâ(TM)s functions are designed to specially target financial institutions.' Yummy!"

18 of 726 comments (clear)

  1. Alreay run into this... by Anonymous Coward · · Score: 5, Interesting

    I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension (why the hell any half-way reasonable person would double-click on a .pif file in their email is beyond me). If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably I've already run into this with one of our banking customers... now if they'd only bought the firewall solution from us that stripped email attatchments based on mime type and/or file extension. If I'd only known 10 years ago (before I was legally an adult) the kind of security that existed at some of the small to medium sized banks, I probably would have made some very different career choices--I suppose it's better this way... (Posted anonymously for obvious reasons)

    1. Re:Alreay run into this... by LiquidCoooled · · Score: 5, Interesting

      there are plenty of people out there who are using windows 98 on a modem.
      Over the last 2 years they have allowed windows update to drip the updates to them.
      Last week Joe's hard drive crashed and he reinstalled.

      I cant see him sitting there for the next 8 hours downloading patches - sure, he will run windows update if we are lucky, but he's likely to be getting his other more important (to him) stuff setup to be worrying about critical updates.
      Waiting for a mail about college?
      Waiting for his girlfriend to get back to him?

      Whatever it is, his thoughts at best would be "I'll just quickly check my mails..........."

      I dont think its entirely stupidity, its human nature.

      --
      liqbase :: faster than paper
  2. it's a good one! by thomasmd · · Score: 5, Interesting

    This one spread through my university like wildfire today! It even seems to fake Norton virus definition updating, such that the computer appears to be updating it's virus definitions but isn't. It seemed to spread via hijacked messages that it attached itself to.

  3. It's a fun one. by offpath3 · · Score: 4, Interesting

    This virus has been hitting a bunch of people over here at Stanford since sometime yesterday. It takes random messages from your inbox and forwards them to random people in your contact list and spoofs the sender. I've recieved a lot of weird emails lately, but some of my neighbors have seen some pretty personal emails sent or recieved by their friends and acquaintences. People hitting on people, people asking their parents for money, rejection letters from companies... the whole works. Our SMTP server has been completely shut down to stop the spread!

  4. How to Fix MS Software by MBCook · · Score: 5, Interesting
    ... and in some cases even attempts to control infected computersâ(TM) modems.

    Seems to me that would be the way to get these things fixed permanantly. Make a worm that would call MS tech support on peoples modems. Or any other MS 800 number. Untill something costs them a LOT of money, these will continue to show up.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    1. Re:How to Fix MS Software by parkanoid · · Score: 3, Interesting

      No, it's like suing ford because the doors in your car don't lock factory-standard, and fixing them requires a professional mechanic and a pile of manuals, and any further repairs to the car might break the door again. And did I mention the gigantic neon sign on the roof stating "ROB ME PLEASE!"?

  5. Re:Modem.. by bhtooefr · · Score: 3, Interesting

    They said that it attacked banks (it appears to be a backdoor bank heist worm). Someone said that US banks would probably not be affected, but a lot of third-world banks that do have a 56K could get hit.

  6. It's a nasty one by jdreed1024 · · Score: 5, Interesting
    This hit MIT starting this morning. It's quite clever about where it gets the addresses and e-mails from. It knows how to scan the mailbox formats of many common e-mail clients, not just Outlook. It sends itself as an attachment to actual messages from the infected user's inbox. So the body is not something obvious ("I send you this file to have your advice"). I actually thought several of the messages I received were real, since they pertained to recent business around campus. (I didn't open the attachments, of course seeing the .scr extension - not that it does much to an OS X box). It's backdoor runs on a fairly standard port (1080) that's used for plenty of legitimate apps (proxy servers) so scanning your network for open ports won't necessarily find it for you. (as opposed to scanning and seeing that port 31337 is open, or something like that, which obviously "wrong"). The keylogger component is quite scary too. It's one of the more advanced viruses I've seen recently...

    On a related note, anti-virus programs is one place where I can actually see a potential useful application of "trusted computing" (no, not necessarily Palladium). If there could be some way to to tell the OS "Look, I don't care if you're the administrator or not: the only programs that are allowed to terminate the anti-virus scanner process are the scanner itself, and, say, Task Manager". By using keys to prove their identity, it _might_ make it a lot harder for virii to terminate anti-virus programs. (Note to slashbots: I'm not saying Palladium is good because it will do this (I don't even know if it does). I'm saying this is one potential application of some as-yet-undeveloped implemenation of "trusted computing".

    --
    There is no sig, there is only Zuul.
  7. Fools! by displaced80 · · Score: 5, Interesting

    Any readers in the UK with Sky Digital, switch to channel 268.

    Overnight, the channel plays a Flash-based word game, where viewers SMS in answers. It's running on a Windows PC, and the screen currently being broadcast to 7 million homes is....

    McAfee dialog box: 'bugbear.b High Virus Advisory....'

    Hmmm.

    (wandering OT - the channel, 'Friendly TV' is apparently being run by students on work experience. A nightly live-broadcast show is 'Girl Talk', where... girls... talk... about... things. Whatever comes into their heads. Oh, and they get progressively more drunk as the evening progresses, which no doubt helps.)

    --
    What's the frequency, Kenneth?
  8. this is why.. by cfscript · · Score: 3, Interesting

    you know..

    for the longest time, i've been attempting to defend windows ever since 2k stopped being the 'absolute junk' syndrome. i read about this earlier in the day, and started ranting in irc.

    well, since it's easier to bitch than act, i decided to act. i went directly to the local apple store and bought an ibook.

    i have -never- been happier. this is literally the best of breed machine i have ever used. all the benefits of unix without the hassle of windows.

    so, this is totally offtopic, but as a govt. employee who deals with this sort of thing every day, my old home pc is now strictly a local lan CF/oracle development box, and every damn machine i buy from now on will be apple.

    --
    Are you MORE than your SPINAL COLUMN?
  9. Re:Modem.. by dorko · · Score: 5, Interesting
    Bzzt. Wrong. Thanks for playing.

    This worm does try hard to get on the 'net. Copied from Symantec.

    If W32.Bugbear.B determines that the default e-mail address for the local system belongs to a banking company, it enables auto-dialing through the registry.
    This is accomplished by setting the following value:
    "EnableAutodial"="0000001"
    in the registry key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
    The worm contains a large list (over one thousand) of targeted bank domain names from around the world. This is likely in an attempt to steal passwords more effectively. Therefore, banking institutions may be considered to be more at at risk.
    Looks like they're trying to obtain passwords to bank specific systems.
  10. Come on people, patch your OS's by stefanlasiewski · · Score: 4, Interesting

    You can fix the OS, but you can't fix the users. People who get hit by this have nobody to blame but themselves (or their Windows administrator).

    Microsoft fixed this vulnerability more then 2 years ago. Why do people not update their software?

    According to Symantec, Bugbear.B "uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability".

    --
    "Can of worms? The can is open... the worms are everywhere."
  11. Re:This went through my workplace like wildfire to by MeanMF · · Score: 4, Interesting

    One interesting thing is it opens port 1080, which is normally used by MSN messenger

    Sounds like you're using a Socks server to connect to MSN - 1080 is the default Socks proxy port, not MSN messenger.

  12. This is amazing by nihilogos · · Score: 4, Interesting

    The entire physics department here got an email with the subject line "Re: hep-lat 020711 daily received" with the pif attachement.

    hep-lat is the Los Alamos eprint Archive subject code for high energy physics on lattice models. The email refers to a paper on "A new proposal for the fermion doubling problem" which is supposedly attached (instead you get the .pif file)

    The subject line is matched amazingly well to the recipient list. I thought "that looks interesting, I might have a look even though I probably wasn't supposed to get it."

    --
    :wq
  13. Re:Frustratingly typical day in the life of Micros by afidel · · Score: 4, Interesting

    Sorry but enterprise level and MS do not belong anywhere near each other despite what MS wants you to believe. I'm an MCSE and I can't imagine running critical services on the MS platform, user authentications, file sharing, and printing sure, but as an application platform windows server is just too bug ridden.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  14. Re:and that will work how? by Kris_J · · Score: 4, Interesting
    do the users know that openme.doc.scr is more likely to be a virus than flowerbox.scr?
    Which is why all .pif, .scr, .exe files are blocked at the email server, in or out. And why anything with double-barreled extensions (.doc.pdf) are also killed, or anything with heaps of whitespace in the name. The message is in place of the attachment.

    Strangely, our business can continue to operate without problems or delays even if the staff can't email screensavers to their friends.

  15. Re:windows vs *nix - un-informed is un-informed by PenguiN42 · · Score: 4, Interesting

    In contrast, right now my XP laptop is running login.scr as SYSTEM. Yup, a screen saver with system level privs.

    What's your point? The login screen saver logs users in, so it makes sense that it has some sort of advanced privileges. (Maybe it doesn't need all of SYSTEM, true...)

    And the screen saver is well protected in winnt, believe it or not. It runs in a separate secure desktop, just like the ctrl-alt-del desktop does.

    Now I agree that the security architecture of windows has flaws, but c'mon, there's got to be a better example than login.scr...

    --
    The following sentence is true. The preceding sentence was false.
  16. BugBear then goes searching for a modem by t0qer · · Score: 3, Interesting

    I disagreed with one point the article made.

    BugBear then goes searching for a modem, enables it, then tries to get the computer to dial out, probably to reach the virus author. âoeHe really wanted to get into those machines,â Kuo said. U.S. financial institutions probably arenâ(TM)t at risk from this technique, Kuo said, because most donâ(TM)t have modems attached to their critical computers any more.

    Today I was at fry's electronics, and I saw a Quickbooks POS (point of sale, not peice of shit) system on display for small to medium business. This started getting me thinking back to my earlier days of consulting.

    One of the companies I did work for had a retail chain of mall stores. At night the registers would dump their management reports to our AS/400 machine and someone would make neat reports out of them. It wasn't a huge amount of data, so each store would just phone home on those really nice $300 courier modems.

    Most of our store managers kept in touch with us via outlook/exchange server.

    Now another interesting side note is veriphone uses POTS lines for nearly %100 of their credit card processing. Tons of small stores have networks in them now, managers reading e-mail and such.

    So which of these financial institutions has its shit so well together that they don't need modems? I just wanted to point out the author of the article is a stupidhead. Boo!