[Dshield] FW: New virus alert: W32/Bugbear.B-mm

Deb Hale haled at pionet.net
Thu Jun 5 13:14:12 GMT 2003

Hash: SHA1

It's BACKKKKK!  Bugbear.B

Deborah F Hale
Certified Business Continuity Professional
BCP Enterprise, Inc
Telephone: (712) 252-0361

- -----Original Message-----
From: VirusEye at messagelabs.com [mailto:VirusEye at messagelabs.com] 
Sent: Thursday, June 05, 2003 5:01 AM
To: VirusEye Subscriber
Subject: New virus alert: W32/Bugbear.B-mm

Beware of the a new email-borne mass-mailing virus:

On 4th June 2003, MessageLabs the email security company intercepted copies of a new mass-mailing virus called W32/Bugbear.B-mm, and intercepted the first copy originating from the United States.

Name:  W32/Bugbear.B-mm
Aliases:  W32/Kijmo-mm, W32/Shamur-mm
Number of copies intercepted so far:  300+
Time & Date first Captured:  4th June 2003 11:59GMT
Origin of first intercepted copy:  United States
Number of countries seen active: 20 (currently mostly in US and Australia)

Email characteristics:

The sender address may be spoofed, and may not indicate the true address of the sender. The virus contains a number of domains that it appears to be capable of spoofing.  

Emails that we have thus far seen have varying subject lines, seemingly relating to information or documents plagiarised from the recipient's infected machine.

The body-text of the message is variable and appears to be taken from documents and files found on the recipient's infected machine.

The attachment is compressed in a modified UPX format.  The file size is 72,192 bytes.  Attachment names are also variable, possibly based on from filenames found on the infected machine with an extension of either .scr, .pif or .exe

For example: Crimbo.exe.scr, Lotto.mbd.pif, 052003.ptx.exe, My Money Backup.mbf.scr, Captletterhead.doc.scr

Virus Behaviour
Initial analysis suggests that the virus is a mass mailer.  It appears to be very polymorphic in nature and compressed using a variant of UPX, however, it seems to have the ability to repack or modify itself during each generation, presumably in an attempt to foil simple anti-virus signature fingerprinting techniques.  

In some copies that we have stopped, the MS01-020 auto-open exploit has been found, which will automatically execute the attachment just by reading the email on an unpatched Windows system.

Virus Payload
Initial analysis indicates that this virus may also be able to disarm local security software, such as anti-virus or firewall software.  It may also be able to spread via network shares, as was the case with the earlier Bugbear.A strain.  Furthermore, it may also install a key-logging trojan component that will enable an unscrupulous hacker to take control of the infected machine and download a file containing the user's keystrokes, including information entered on websites such as passwords or credit-card details for example.

The virus includes a number of domain names that it appears to be capable of spoofing, including many major international banks, financial institutions and government authorities.  

Paul Wood, Chief Information Analyst at MessageLabs said,  "This is a particularly worrying trend in terms of the social engineering techniques now almost customary for any new virus to take hold.  

Particularly worrying is the fact that not only can Bugbear leach confidential information from an infected machine, but it may also leave a backdoor wide open for hackers to take control of the machine and misappropriate passwords, credit-card details or for some other nefarious purpose.

"From the pattern of Bugbear.B emails that we have stopped already this morning, we anticipate that this is likely to reach high-level outbreak very soon, particularly as the US begin to come online."

MessageLabs detected all strains of this virus proactively, using its unique and patented SkepticT predictive heuristics technology.  

For further information, please visit the MessageLabs website at:  http://www.messagelabs.com and 


This email was sent to you because you subscribe to MessageLabs' Virus Alert service. You can cancel your subscription on the MessageLabs website at http://www.messagelabs.com/AlertUnsubscribe

MessageLabs is a leading provider of Internet-level managed email security services. Through its SkyScan portfolio of services, MessageLabs customers are protected from email-borne threats such as viruses, unsolicited mail and pornographic material, before such content comes anywhere near their network boundaries.

This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________

Version: PGP 8.0


More information about the list mailing list