Description of virus alert about the W32/Bugbear@mm virus (329770)

MORE INFORMATION

The W32/Bugbear@mm worm arrives in an e-mail message with one of the following subject lines in the Subject box. The subject lines are not limited to those that are in the following list:

• Found
• 150 FREE Bonus!
• 25 merchants and rising
• Announcement
• bad news
• CALL FOR INFORMATION!
• click on this!
• Correction of errors
• Cows
• Daily Email Reminder
• empty account
• fantastic
• free shipping!
• Get 8 FREE issues - no risk!
• Get a FREE gift!
• Greets!
• Hello!
• history screen
• hotmail.
• I need help about script
• Interesting
• Introduction
• Just a reminder
• Market Update Report
• Membership Confirmation
• My eBay ads
• New bonus in your cash account
• New Contests
• new reading
• News
• Payment notices
• Please Help
• Report
• SCAM alert
• Sponsors needed
• Stats
• Today Only
• Tools For Your Online Business
• update
• various
• Warning!
• Your News Alert

Both the body and the attachment of the e-mail message appear to have varying characteristics. For example, the attachment appears to regularly use a double extension, such as ".exe.pif" (without the quotation marks).

The W32/Bugbear@mm worm also spreads through network share propagation.

The W32/Bugbear@mm worm also tries to turn off (disable) antivirus software related processes and installs a Backdoor Trojan with a randomly generated file name and .dll extension. The Backdoor Trojan is a keystroke logging Trojan that communicates over port 36794.

Contact your antivirus vendor for additional details about the W32/Bugbear@mm worm.

Prevention

1. Block potentially damaging attachment types at your Internet mail gateways.
2. This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:

   http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

   To obtain the most recent cumulative security patch for Microsoft Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020, visit the following Microsoft Web site:

   http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

3. If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus, and the majority of other viruses that are borne by e-mail messages, from running.
   
   Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.
   
   To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:

   http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

4. You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

   291387 OLEXP: Using Virus Protection Features in Outlook Express 6

   Earlier versions of Microsoft Outlook Express do not contain attachment-blocking functionality. Use caution when you open unsolicited e-mail messages with attachments.
   
   
5. Using a program-level firewall can protect you from being infected with this virus through Web-based e-mail programs.

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site: