PSS Security Response Team Alert - New Worm: w32/Bugbear.B@MM
SEVERITY: MODERATE
DATE: June 5, 2003
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail programs
**********************************************************************
WHAT IS IT?
The PSS Security Response Team is issuing this alert to inform customers about a new variant of the W32/Bugbear@MM worm named W32/Bugbear.B@MM, which appears to be spreading in the wild. Best practices, such as filtering certain file types and applying security patches should prevent infection from this worm. Customers are advised to review the information and take the appropriate action for their environments.
IMPACT OF ATTACK:
Mass-Mailing, Trojan delivery
TECHNICAL DETAILS:
The W32/Bugbear.B@MM worm spreads via e-mail and network shares. E-mail messages used by the W32/Bugbear.B@MM worm may use the vulnerability mentioned in Microsoft Security Bulletin MS01-020, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment, to run automatically on some computers when an infected e-mail is viewed.
The subject line, body of the message, and attachment have varying characteristics. Details regarding these variations can be found in the alerts provided by Microsoft Virus Information Alliance participants.
W32/Bugbear.B@MM also spreads via network share propagation.
Backdoor trojan software is dropped by the worm upon infection.
For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:
McAfee:
http://vil.nai.com/vil/content/v_100358.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BUGBEAR.B
For more information on Microsoft’s Virus Information Alliance please visit this link:
http://www.microsoft.com/technet/security/alerts/info/via.mspx
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
1) Block harmful attachment types at your Internet mail gateways.
2) This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
The most recent cumulative security patch for Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020 can be found here:
http://www.microsoft.com/technet/security/bulletin/ms03-020.mspx
3) After customers have ascertained the status of the preceding fix in their environments, the following prevention steps will also apply:
Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Microsoft Office programs. This includes the functionality to block potentially harmful attachment types. If you are running either of these versions, they will (by default) block the attachment, and you will be unable to open it.
To ensure you are using the latest version of Office click here:
http://office.microsoft.com/officeupdate/default.aspx
By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here:
To find out what attachment types are blocked by Outlook please see this Microsoft Knowledgebase Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290497&sd=tech
Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;291387&sd=tech
Outlook Express all other versions: Previous versions of Outlook Express do not contain attachment-blocking functionality. Please use extreme caution when you open unsolicited e-mail messages with attachments.
Web-based e-mail programs: Use of an application-level firewall can protect you from being infected with this virus through Web-based e-mail programs.
RECOVERY:
If your computer has been infected with this virus, please contact Microsoft Product Support Services or your preferred antivirus vendor for assistance with removing it.
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-020.mspx
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
