| VID |
24040 |
| Severity |
40 |
| Port |
36794 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
BugBear backdoor is detected. BugBear backdoor is a part of the BugBear worm, which includes a key logger and can kill antivirus or personal firewall softwares. The BugBear worm spreads by sending emails containing attachments and by locating shared resources on your network to which it can copy itself. Depending on the antivirus vendor, it is known as: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure], and so on.
BugBear backdoor opens port 36794 and listens for commands from a remote machine. Depending on the command issued the remote attackers may attempt the following on the victim's computer:
- Retrieve cached passwords in an encrypted form
- Download and execute a file
- Find files
- Delete files
- Execute files
- Copy files
- Write to files
- List processes
- Terminate processes
- Retrieve information such as username, type of processor, Windows version, Memory information (amount used, amount free, etc), Drive information (types of local drives available, amount of space available on these drives, etc).
Platforms Affected:
Microsoft Windows Any version
* References:
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
http://www.ealaddin.com/news/2002/esafe/bugbear.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html |
| Recommendation |
1. Use Anti-Virus programs or free disinfection tools to remove it.
2. Close the Windows shares of the infected computer.
3. Update Outlook, Internet Explorer browser and Outlook Express in the infected computer. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.): http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
Free BugBear worm disinfection tool:
- Self-extracting executable, including documentation: http://www.sophos.com/tools/bearsfx.exe
- Zip version, including documentation: http://www.sophos.com/tools/bear.zip |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
