Detection: Bugbear is intercepted by Interceptor
on attempting to access the infected e-mail attachment (exe
and scr instances only). Also, the Bugbear initialization
is intercepted by IV's SAM (startup queue monitoring) and
can be reverted before it had a chance to initialize. No
IV update is required for this worm.
Description: Bugbear is a mass mailer that spreads
through e-mail attachment and open shares. The e-mail subject
and the name of the attachment vary. The attachment is 50,688
bytes in size, uses a single or double extension name, with
the last (true) extension always being exe, scr, or pif.
The way Bugbear initializes on an affected machine is by
installing an exe with random naming in the startup group
(directory), as well as reinitializing through the local
machine's registry key 'RunOnce'.
Risk: Except being a mass-mailer, Bugbear compromises
security by installing a backdoor that allows listening
on port 36794 of the affected machine. Bugbear also features
a key-logger, that can be used in conjunction with the backdoor
port to steal passwords and convey confidential data to
the listener (hacker), such as credit card info, etc. On
activation, Bugbear terminates (stops) all common antivirus
and firewall processes, leaving the computer exposed with
no protection.
Protection: System administrators are advised to
add IVPROOF to their e-mail screening application, and review
the gateway policy filtering rules to block attachments
with bat, com, lnk, scr, and pif extensions. Adding 'exe'
to the supress list might be a good idea, depending on the
nature of the enterprise.
Cleaning: Removing Bugbear with InVircible is straightforward.
With IV's SAM (startup apps monitor), note the name of the
executable that initializes Bugbear. The file has a random
name followed by the exe extension, and may appear in any
of the following locations: Registry [machine RunOnce],
and Startup Group.
Restart now the computer in Safe mode, search for the exe
file which's name was noted in step 1 and delete it.
With IV's SAM (startup apps monitor), select the startup
bogus entry from step 1 and press the 'Delete' button. Or
if familiar with how to use REGEDIT, then delete the reference
to the bogus file from
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Restart the computer.
©NetZ Computing
Back
