[Dshield] Bugbear Less-Documented Behavior

James C. Slora Jr. Jim.Slora at phra.com
Wed Oct 2 15:17:39 GMT 2002


Something to watch for -

Bugbear does not use only the standard subject lines listed at some AV
vendor sites. It also does not always have a blank message body as most AV
sites still assert (when I checked shortly before sending this message).

Our copies have subjects, message bodies, and attachment file names drawn
presumably from messages on the infected user's system. Subjects, bodies,
and attachments have unique content that is entirely believable as a
legitimate message - even to an educated and skeptical user.

Sophos makes brief indirect mention of this ("can look like normal emails").
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html

Norman mentions it could reply to mail on an infected computer
http://www.norman.com/virus_info/w32_bugbear_a_mm.shtml

Another oddity on the copies we have received: the entire message body is
placed within an Iframe.

- Jim




More information about the list mailing list