FWD: [SECURITY] bugbear variant

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Thu Jun 5 21:26:57 GMT 2003

(Apologies to anyone who already got this on the Educause list.)

We got hit with this today before Norton Antivirus came out with the 
definitions.  Hopefully the defs will get updated automatically in the 
next day or so, but we are prompting folks to manually update their defs 
ASAP.  Our mail servers are protected with generic defs (looking for 
dangerous attachments, etc) but we had to update one of them manually with 
the exact def.

Infected hosts have a backdoor on 1080 (and maybe the range around that) 
open.  It leaves behind a password stealer that Norton was unable to 
remove with a scan, nor was it able to automatically quarantine the file. 
As of now it looks like infected hosts should be formatted completely.

Good luck!


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

----- Forwarded by Phil Rodrigues/ITS/InformationServices/UConn on 
06/05/2003 05:25 PM -----

"Bruhn, Mark S." <mbruhn at INDIANA.EDU>
Sent by: The EDUCAUSE Security Discussion Group Listserv 
06/05/2003 03:43 PM
Please respond to The EDUCAUSE Security Discussion Group Listserv

        Subject:        [SECURITY] bugbear variant

I received a phone call a short while ago from DHS, indicating that a
new variant of Bugbear was spreading, mostly among financial
institutions.  That's all they told me.  We haven't received reports of
infections here at IU yet.

But, information about it can be found at
http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html, or
probably also at your favorite AV vendor site .


Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac at iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University

Incidents involving IU IT resources: it-incident at iu.edu
Complaints/kudos about OVPIT/UITS services: itombuds at iu.edu

Participation and subscription information for this EDUCAUSE Discussion 
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

More information about the unisog mailing list