[unisog] BugBear Worm

John Stauffacher stauffacher at chapman.edu
Thu Oct 3 23:56:23 GMT 2002

>From the snort list:

Bugbear snort rule:

alert tcp any any -> any 25 (msg:"Bugbear at MM virus in SMTP";
sid:900001; classtype:misc-activity;

John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca] 
Sent: Thursday, October 03, 2002 4:06 PM
To: unisog at sans.org
Subject: Re: [unisog] BugBear Worm

	We have certainly seen a handful of machines (some ex of our
pool) that have fatally begun scanning port 137 (just before the network

port stops responding :-)). I assume that may be this worm.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> Has anyone encountered this beast yet?
> ISS X-Force claims to be monitoring the spread of the "Bugbear"
Internet worm. It propagates through email and through open NetBIOS file
shares, attempts to disable all security and antivirus software on each
> and installs a backdoor program. They claim to have detected a large
increase in NetBIOS scanning traffic from several thousand unique
> For more, check out:
> -Bill Martin-
> Sr. Systems Analyst
> Loyola University Chicago
> bmartin at luc.edu

More information about the unisog mailing list