Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • MessageLabs ThreatList

On the morning of September 30, 2002, MessageLabs reported the discovery of a new mass mailer. Originally dubbed Tanat, the worm is most often referred to as Bugbear. Other aliases include Tanatos, W32/Bugbear, W32/Tanat, and I-Worm.Tanatos. The Bugbear worm arrives via email and contains keylogging and backdoor components which can cause an infected system to be remotely compromised. Bugbear also includes the ability to kill certain antivirus, firewall, and security software running on the system, allowing it to continue its infection routine undetected. Within 24 hours of its discovery, Bugbear had risen to the number two spot on the MessageLabs ThreatList, with a total of 7528 copies of the worm reported.

The worm contains a fairly complex mailing routine, sending with a wide range of subject lines and random messaging, making lexical context filtering an ineffective means of prevention. The most effective filtering remains extension filtering, including the blocking of .scr, .pif, and .exe file extensions, used by the Bugbear worm.

To compose its infected message, BugBear uses email addresses found in Netscape, Outlook, Outlook Express, Eudora, and other mail clients that use the following extensions: .ODS, .MMF, .NCH, .MBX, .EML, .TBB, and .DBX. Bugbear avoids email address that contain the words remove, spam, undisclosed, recipients, noreply, lyris, virus, trojan, mailer-daemon, postmaster@, root@, nobody@, localhost, localdomain, list, talk, ticket, or majordom. The composed message may take advantage of an older vulnerabilty in Internet Explorer, which can be exploited to allow email attachments to execute automatically. To exploit the vulnerability, Bugbear sets the content type of the attachment to any one of the following: image/gif, image/jpeg, application/octet-stream, text/plain, or text/html. The vulnerability causes unpatched Internet Explorer versions 5.01 or 5.5 to automatically launch the attachent which is, in fact, one of the aforementioned file types (.scr, .pif, or .exe) and not the erroneous content type listed.

According to Alexey Podrezov of F-Secure Corp, Bugbear has password stealing capabilities. "It installs a keylogging component to a system, records keystrokes and saves them into a file. Then the worm sends this file to a few e-mail addresses that are stored in encrypted form in the worm's body. The smtp server names that the worm uses to send the files are also stored in encrypted form in the worm's body." F-Secure also notes, "The worm listens to port 36794 and can provide access to an infected system and the network it is connected to via an internal backdoor component. The backdoor component allows an attacker to access an infected system through a web-based interface. The worm generates HTML pages on-the-fly when an attacker browses directories on an infected remote computer."

To remove the worm, scan the system with antivirus software updated on or after October 1, 2002. Delete any files found to be infected with Bugbear, then reboot the system. Due to its keylogging and backdoor capabilities, logins and passwords should be changed on all affected sytems after the infection has been removed.