[unisog] BugBear Worm

Asadoorian, Paul D pasadoor at AD.Brown.Edu
Fri Oct 4 12:18:42 GMT 2002

We had one user that was infected with Bugbear (that we know of), most
likely just before the mail gateways updated definitions.  The users
definitions were also two weeks old, so it could have come in through
open file shares (it was a win98 machine).

We experience the side effect of all our printers spewing paper (like 6"
high) because there is a bug in the worm and when it connects to
printers to replicate itself the contents of the worm gets printed on
the printer, over and over and over.... (We got a good laugh out of
telling the department this originated from that they were financially
responsible for all the wasted paper :-) 

Fortunately it did not replicate on that subnet (or any other subnet
that we know of) and all our anti-virus definitions have been updated.
You can probe for tcp port 36794 to check for the backdoor, and look out
for printers spewing binary :-).  F-Secure has a really good write-up as
well http://www.F-Secure.com/v-descs/tanatos.shtml.

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com

-----Original Message-----
From: Bill Martin [mailto:bmartin at luc.edu] 
Sent: Thursday, October 03, 2002 5:46 PM
To: unisog at sans.org
Cc: Bill Martin
Subject: [unisog] BugBear Worm

Has anyone encountered this beast yet?

ISS X-Force claims to be monitoring the spread of the "Bugbear" Internet
worm. It propagates through email and through open NetBIOS file shares,
attempts to disable all security and antivirus software on each host and
installs a backdoor program. They claim to have detected a large
increase in NetBIOS scanning traffic from several thousand unique

For more, check out:

-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu

More information about the unisog mailing list