[unisog] BugBear Worm

Saracini, Bill SaraciniW at health.missouri.edu
Fri Oct 4 13:41:54 GMT 2002

We had two desktop machines (both Windows 98) compromised, and have noted a 10 - 15 fold increase in scanning activity since last Friday.  The rate appears not to be subsiding. Some forensics on the compromised machines appeared to indicate Europe and North America as source for most scans initially - not many Asian addresses noted early on.  The machines that fell victim appear to be through netbios, both had MS shares that were password protected.  We are unsure of password strength.  One problem that we noted is that the worm randomly used addresses in multicast range that caused massive network problems in our switches.  The vendor was contacted about a possible patch.  Our anti-virus is now catching the bug, but interestingly, the same machine that was compromised seems to also be the one that is continually having the desktop anti-virus catch the worm on most every scan coming through.


William J. (Bill) Saracini
System Security Analyst
University of Missouri Health Sciences Center
Columbia, MO  65212
573-884-2650 (fax)

-----Original Message-----
From: Bill Martin [mailto:bmartin at luc.edu]
Sent: Thursday, October 03, 2002 5:46 PM
To: unisog at SANS.ORG
Cc: Bill Martin
Subject: [unisog] BugBear Worm

Has anyone encountered this beast yet?

ISS X-Force claims to be monitoring the spread of the "Bugbear" Internet worm. It propagates through email and through open NetBIOS file shares, attempts to disable all security and antivirus software on each host
and installs a backdoor program. They claim to have detected a large increase in NetBIOS scanning traffic from several thousand unique addresses. 

For more, check out:

-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu

More information about the unisog mailing list