[Dshield] Bugbear Less-Documented Behavior

Richard Damon rdamon at beltronicsinc.com
Wed Oct 2 21:53:47 GMT 2002

I have notice that most of the bugbear messages I have gotten, have been
copies of message posted on a mailing list I just sent a message to. It
seems smart enough to chose a message from the same list as the one I sent,
I know its not going through the list as the list strips all attachments.

Richard Damon
rbrdamon at rcn.com (Home)
rdamon at beltronicsinc.com (Work)

> -----Original Message-----
> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
> James C. Slora Jr.
> Sent: Wednesday, October 02, 2002 11:18 AM
> To: list at dshield.org
> Subject: [Dshield] Bugbear Less-Documented Behavior
> Something to watch for -
> Bugbear does not use only the standard subject lines listed at some AV
> vendor sites. It also does not always have a blank message body as most AV
> sites still assert (when I checked shortly before sending this message).
> Our copies have subjects, message bodies, and attachment file names drawn
> presumably from messages on the infected user's system. Subjects, bodies,
> and attachments have unique content that is entirely believable as a
> legitimate message - even to an educated and skeptical user.
> Sophos makes brief indirect mention of this ("can look like
> normal emails").
> http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
> Norman mentions it could reply to mail on an infected computer
> http://www.norman.com/virus_info/w32_bugbear_a_mm.shtml
> Another oddity on the copies we have received: the entire message body is
> placed within an Iframe.
> - Jim
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list