[unisog] BugBear Worm

Stephen Tolito stolito at salud.unm.edu
Fri Oct 4 14:25:51 GMT 2002

We have seen bugbear coming through our smtp gateway, but have heard of
no infection thanks to GWAVA and McAfee scanning everything that enters
the gateway.

Stephen Tolito
LAN Administrator
UNM Health Science
Library and Informatics Center
email stolito at salud.unm.edu 
phone 505 272-5097
fax 505 272-5683

"The entire sum of existance
 is the magic of being needed 
by just one other person."  --VI Putnam 

>>> "Asadoorian, Paul D" <pasadoor at AD.Brown.Edu> 10/04/02 06:18AM >>>
We had one user that was infected with Bugbear (that we know of), most
likely just before the mail gateways updated definitions.  The users
definitions were also two weeks old, so it could have come in through
open file shares (it was a win98 machine).

We experience the side effect of all our printers spewing paper (like
high) because there is a bug in the worm and when it connects to
printers to replicate itself the contents of the worm gets printed on
the printer, over and over and over.... (We got a good laugh out of
telling the department this originated from that they were financially
responsible for all the wasted paper :-) 

Fortunately it did not replicate on that subnet (or any other subnet
that we know of) and all our anti-virus definitions have been updated.
You can probe for tcp port 36794 to check for the backdoor, and look
for printers spewing binary :-).  F-Secure has a really good write-up
well http://www.F-Secure.com/v-descs/tanatos.shtml.

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc 
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 

-----Original Message-----
From: Bill Martin [mailto:bmartin at luc.edu] 
Sent: Thursday, October 03, 2002 5:46 PM
To: unisog at sans.org 
Cc: Bill Martin
Subject: [unisog] BugBear Worm

Has anyone encountered this beast yet?

ISS X-Force claims to be monitoring the spread of the "Bugbear"
worm. It propagates through email and through open NetBIOS file
attempts to disable all security and antivirus software on each host
installs a backdoor program. They claim to have detected a large
increase in NetBIOS scanning traffic from several thousand unique

For more, check out:

-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu 

-------------- next part --------------
FN:Tolito, Stephen
ORG:;HSC Computer Services
EMAIL;WORK;PREF;NGW:STolito at salud.unm.edu

More information about the unisog mailing list