PSS Security Response Team Alert - New Worm: w32/Bugbear@MM
SEVERITY: MODERATE
DATE: September 30, 2002
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail programs
**********************************************************************
WHAT IS IT?
The PSS Security Response Team is issuing this alert to inform customers about the W32/Bugbear@MM worm, which appears to be spreading in the wild. Best practices, such as filtering certain file types and applying security patches should prevent infection from this worm. Customers are advised to review the information and take the appropriate action for their environments.
IMPACT OF ATTACK:
Mass-Mailing, Trojan delivery
TECHNICAL DETAILS:
The W32/Bugbear@MM worm spreads via e-mail and network shares. E-mail messages used by the W32/Bugbear@MM worm may use the vulnerability mentioned in Microsoft Security Bulletin MS01-020, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment, to run automatically on some computers when an infected e-mail is viewed.
The following characteristics apply to the infected e-mail message:
Subject Line: (Subject Lines found include, but are not limited to) Found
150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Correction of errors
Cows
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
Hello!
history screen
hotmail.
I need help about script
Interesting
Introduction
Just a reminder
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
News
Payment notices
Please Help
Report
SCAM alert
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
Your News Alert
The body of the message, and attachment, appear to have varying characteristics. The attachment appears to commonly use a double extension, such as .exe.pif.
W32/Bugbear@MM also spreads via network share propagation.
The W32/Bugbear@MM also attempts to disable antivirus software related processes and installs a Backdoor Trojan with a randomly generated filename and a .dll extension. The Backdoor Trojan is a keystroke logging Trojan that communicates over port 36794.
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
1) Block harmful attachment types at your Internet mail gateways.
2) This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
The most recent cumulative security patch for Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020 can be found here:
http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx
3) After customers have ascertained the status of the preceding fix in their environments, the following prevention steps will also apply:
Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Microsoft Office programs. This includes the functionality to block potentially harmful attachment types. If you are running either of these versions, they will (by default) block the attachment, and you will be unable to open it.
To ensure you are using the latest version of Office click here:
http://office.microsoft.com/officeupdate/default.aspx
By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here:
To find out what attachment types are blocked by Outlook please see this Microsoft Knowledgebase Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290497&sd=tech
Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;291387&sd=tech
Outlook Express all other versions: Previous versions of Outlook Express do not contain attachment-blocking functionality. Please use extreme caution when you open unsolicited e-mail messages with attachments.
Web-based e-mail programs: Use of an application-level firewall can protect you from being infected with this virus through Web-based e-mail programs.
RECOVERY:
If your computer has been infected with this virus, please contact Microsoft Product Support Services or your preferred antivirus vendor for assistance with removing it.
RELATED KB'S: (Available in 24 hours)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;329770&sd=tech
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
