W32/BugBear@MM Virus Family - U-M Virus Busters

The W32/BugBear@MM Virus Family Often Forges Its From: Field

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 12 June, 2002

This information can be freely reproduced in any medium, as long as the information is unmodified.

06/04/2003: Bugbear.B is discovered and spreads "In The Wild." For more info, see below.

The BugBear virus affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from BugBear, so its "annoyance factor" is large.

BugBear has a lot in common with the Klez virus.

The first BugBear variant was discovered 30 September 2002; VirusScan users at U-M with current antivirus definitions have been protected against BugBear specifically since 30 September, 2002, 15:02 EDT and protected in general (in its email attachment form) before that, even before the virus writer created it! Probably because of this, we have seen very few infections at the University, though BugBear is a major problem worldwide.

The main features of BugBear are:

It (almost?) always forges its From: field, so that recipients of email with BugBear-infected attachments seem to get it from someone who was not the actual sender (and is not the real BugBear victim)
- In particular, it can forge email by taking two email addresses, and combining them into one (probably invalid) one, e.g.: it could take my email address -- bpb@umich.edu -- and the President of the United States (whoever he or she might be at the time) --president@whitehouse.gov -- and use them to make the email addresses "bpb@whitehouse.gov" and "president@umich.edu". Then it would select one of these as the email address from which to forge as the sender.
  No, this does not mean that I (or the current U.S. President!) am infected with a virus. All we know is that both of our (real) email addresses are somewhere on the victim's computer
BugBear can disable antivirus software that hasn't been updated to protect against this pest. KEEP YOUR ANTIVIRUS SOFTWARE UP-TO-DATE, AT LEAST WEEKLY!!
It exploits a security flaw in unpatched Internet Explorer applications that allows the attachment to be executed w/o opening it.
The virus attaches text that it finds on the infected computer, and uses it as the body of the email. Often, it seems to use old email messages, but it can get the text from other places as well.
The virus can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.
BugBear drops a Remote Access Trojan that allows hackers easy access to the compromised computer. [VirusScan recognizes this Trojan as PWS-Hooker.dll.
BugBear can make your network printer spew lots of garbage.

The main thing about BugBear is the forged From:field. Here is what happens frequently:

Person A's computer gets infected
BugBear harvests email addresses, including addresses for persons B, C, and D
BugBear sends email from A's computer, using a From: address of person B, and a To: address of person D. -- or it combines B's and C's addresses to make a new address, and then it emails itself as if it were from this newly created address.
Person D's antivirus software notices that the email "from" person B is infected, so D emails B to warn him or her. Either:
- this fails because of the address-mixing described above so the message will bounce -- which probably will confuse D, or...
- D's message is delivered properly. In that case, person B scans his or her computer and finds no virus; person B is very confused.

What should you do if:

If you know you are infected by BugBear?
Easy: disinfect with current, top quality antivirus software. If you have an antivirus vendor already, browse to that web site and follow the directions for removing BugBear. If you don't already have antivirus software, you may find Network Associates' Stinger (leaving our site) utility helpful: it can handle BugBear, and several other viruses that require special handling.
Of course, had you installed top quality antivirus software beforehand, and updated it regularly, you might not have gotten bitten....
You receive email you suspect is infected with BugBear -- or other viruses, for that matter?
That's up to you; for suggestions, see our What to do with suspicious email document.
You receive email "informing" you that you are sending BugBear-infected email?
This is a bit more involved:
1. First, you probably are not infected, particularly if you are getting email from the recipient or from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the realvictim is.
  [Of course, if you get email from us that you are infected, or from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]
2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.
3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.
  U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.
For technical info on the BugBear family, see e.g. Network Associates write-ups on http://vil.nai.com/vil/content/v_99728.htm (leaving our site) or F–Secure's write up (leaving our site).
Bugbear.B is very similar to Bugbear.A, from the end user perspective: it forges its From: field; it spreads by email attachments and open network shares; it attacks antivirus software if it can; it drops a key-logger Trojan; it's easy to prevent if you have current antivirus software installed. And if you DO get infected, it's a pain to remove; use the Stinger tool (v.1.7.1 or greater) mentioned above.
For more technical info on BugBear.B, see e.g., NAI's web site (leaving our site) or F-Secure's web site(leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/bugbear.html
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Thursday, 12-Jun-2003 02:10:46 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 04 October, 2002 20:37 EDT