Bits & P.C.s: Security Alert – Bugbear
By Richard Heller
Last week I mentioned the W32.Bugbear@mm virus that had just been discovered. This week I have some further information on this mass-mailing worm.
Symantec has upgraded the threat level of Bugbear from a Category 2 to a Category 4 due to the number of computer systems that have been infected. It is spread through e-mails, and if it should get onto a computer that is networked, it will spread the virus to the other computers.
The worm will install itself from an infected e-mail by making up a name and copying itself into the Windows system directory on your hard drive. It then creates various encrypted support files that allow it to connect to other computers while you are on the Internet. By on the Internet, I mean anytime that you are online whether surfing the web or checking your e-mail.
The worm has keystroke logging capabilities which enable it to keep a record of anything that you type. This data is saved to a file that is then sent to the hacker who can then replay the tape and see everything that you have typed including passwords, PIN and account numbers, as well as a record of the websites that you have visited. With this capability, there is no need for the hacker to guess what your password or credit card number is; hell know exactly what you entered, including the backspace that you did when you corrected the account number.
The worm will also attempt to disable any anti-virus or firewall program that you have installed. It will also search the address book files on your computer to come up with e-mail addresses to mail to. It can also take the name from the From field in the e-mail and use that in its own e-mails to make it appear as though the e-mail came from someone else.
The worm will also choose a subject to include in the message line to make it appear as a valid e-mail. It will also choose documents and other files from your computer, alter the contents, and then include this altered file in its e-mail.
The backdoor capabilities of the worm allow it to delete and copy files, stop programs from running, and various other things to cause grief. If it gets onto a network, it will disrupt the printers, causing them to not function or to print garbage.
This worm was only discovered on September 30, 2002, and unless your anti-virus program has been updated since that time, you are at great risk of being infected. Symantec has a removal tool available at
http://email@example.com that will scan your system and remove the worm if it is found.
Other anti-virus companies also have removers available or the instructions on how to manually remove the worm.
If you are using any Microsoft Windows-based operating system, you are vulnerable to attack. Do not open e-mail attachments unless you know the person sending it to you. Even if it is from your daughter, it may be wise to confirm by e-mail or phone before you open the attachment to be certain that she actually was the sender.
Richard Heller is an independent computer specialist who specializes in repairs, installation, upgrades, technical support, Internet sharing, data recovery and diagnostics. If you have any computer or service-related questions, please send them to The Rock River Times or e-mail firstname.lastname@example.org.