Janie, I recieved this  from RootsWeb Review this morning.  I'm adding it to your notice of the bugbear virus. The first thing I do when recieving one of these is go to truthorfiction.com (people this one is for real, so be carefull out there).

-------------------

 Be Careful Out There. The Bugbear is no teddy bear. It is an e-mail
worm containing backdoor components that can allow an infected system to
be remotely compromised; it also includes the ability to kill antivirus
and firewall software, leaving infected systems wide open to further
attacks and lulling you into a false sense of security thinking your
system is virus-free. Genealogists have much more interesting things to
do than deal with an Internet worm with a Trojan horse, but such is life
online.

Bugbear, which hit Great Britain and Australia users first on Monday,
September 30, according to news reports, is also known as Tanatos. It
arrives via e-mail with no distinct characteristics except that the
attached file is always 50,688 bytes long. The subject line and text are
stolen from existing e-mail it finds on an infected machine. Many
RootsWeb users are expressing concerns about this latest varmint because
unless you pay extra-careful attention you might think an e-mail with
the attached Bugbear worm is coming from a trusted genealogy friend,
family member, or from your favorite Mailing List.

RootsWeb's Mailing Lists do not allow any attachments, but that doesn't
mean you won't receive something that will fool you into thinking the
message is from a RootsWeb Mailing List. This is one clever worm. There
are confirmed reports of Bugbear even forging some prepends commonly
used on many of our Mailing Lists. If you receive e-mail with an
attachment that appears to be from say [SURNAME-L] and you are not
subscribed to that Mailing List, that is a good indication that it is a
message with the Bugbear worm attached. Even if you are subscribed to a
certain list and there is an attachment, do not open it.

Many of us are still fighting off the Klez worm, which steals and forges
our e-mail addresses and subject lines, and now along comes Bugbear and
the Opaserv worms. The latter is a network worm that was discovered
September 30 also.

Are you at risk? You certainly are if you are a Windows user, and
especially if you use Microsoft Internet Explorer 5.01 or 5.5 browsers
and have not applied the patch found in MS01-020.
  [Note: Copy and paste carefully; this is a 2-line URL:]
  http://www.microsoft.com/technet/security/bulletin/
    MS01-020.asp?frame=true

According to CNET News.com, a flaw in MIME (the multipurpose Internet
mail extensions) lets a malicious program attached to an e-mail message
execute (start) when the text of the message appears in Outlook or
Outlook Express (popular e-mail applications). The software problem was
patched by Microsoft almost 18 months ago, but it is obvious that many
genealogists have not updated their computers. Don't know what version
of Microsoft Internet Explorer you have? Launch the browser, click on
the Help menu and select About Internet Explorer to find out.

To prevent infection, Windows users be sure your system is current:
  http://windowsupdate.microsoft.com/default.htm
and everyone should update their antivirus software and refrain from
opening any attachment unless the sender confirms that he or she sent
it to you. The major antivirus (AV) software companies have updated
their files to include protection from Bugbear -- but you need to be
sure your AV is up-to-date. Moreover, don't rely exclusively on your AV
to protect you from every virus or worm that comes along.

If you use Outlook or Outlook Express for your e-mail application, be
sure to set your VIEW options to show attachments. In Outlook Express
make sure that the Preview Pane option is off. In Outlook, under VIEW,
turn off the Auto Review and the Preview Pane. Some e-mail clients treat
Mailing List digests as separate attachments, but those will always have
the Mailing List digest request address as the FROM address and they
will have the digest volume and number in the subject line. However, be
wary, if attachment is exactly 50,688 bytes, it probably is the Bugbear.

For additional tips and links, please see: Virus, Trojans, Worms:
  http://helpdesk.rootsweb.com/announce.html#virus
E-mail headers: http://helpdesk.rootsweb.com/listadmins/headersfull.html

Janie,

 

Not one to appreciate MOST virus alerts, I do appreciate this one.  I had a scare yesterday and in my getting to the bottom of it learned about this new Bug-a-bear, started on Oct. 2.

 

This gives me an opportunity to enlighten people about my own experience with the Klez worm which seems to act the same way the Bug-A-Bear does.

 

I received an email from a business in Effingham, Illinois that their Norton anti-virus caught an infected message that came from my account.  Well, the particular email account I supposedly sent the email from was one I use almost solely to visit geneaology communities.  I knew I did not send the email myself, but doing so much genealogy work in Effingham, I also knew there was a connection.

 

I have Norton Internet Security.  I run a scan at start-up, keep a background scan going at all times, and do a complete system scan every evening (it's scheduled to come up automatically).  Plus, I scan every time I feel nervous about something.  I immediately scanned my system, with no results. I scanned it again.  Again, I came out clean.  I thought perhaps I got the virus and it disabled a portion of my protection that showed that I had it.  I contacted Norton, but there is always a wait for an answer.

 

While I waited for my answer, I tried to go to the Norton site to do a system check from there. I kept getting a message the scan could not be done because my Security was not configured correctly (which it was).  My opinion at that time, was that the Dirty Dog made it impossible to check for that virus.  Since I knew I didn't send the email, he must have somehow gotten my password and used my email account to send viruses to others. (wrong)

 

I then read the terms used by this virus and searched for each and every one in my "find" program.  Nothing came up.

 

Finally  in the afternoon, a reply came back from Norton.  Someone who has my email address, probably taken from one of the communities I belong to, has the virus.  This worm finds any email address it can on an infected computer.  It doesn't necessarily need to be in the address book, or a contact of the person with the virus, just a visit to the site and a click on my address left in the history of the infected computer.  It randomly sticks an address in the "to" line and another in the "from" line.  Effingham Truck sales could have just as easily gotten a message from me that the email they sent me was infected.  My address just happened to be in the "to" space.

 

Norton assured me that if I am up-to-date with my virus definitions and downloads then I am protected.  

Janie,

The Bugbear virus seems to mutate. I can come with any subject listing and the attachment with any name. I received one today that looked like it came from someone at Yahoo that I didn't know. The subject seems to be a response to the Roarx Roots-L line. Since I am not on that like it raised a red flag along with the fact that it had an attachment. I did read the email and knew the person to who it was addressed. This is a very clever virus. The attachment was call 100% doc.scr. and was 50,666 in length. The Bugbear can be an scr. attachment along with two other kinds and is exactly 50,666. That was enough for me to hit the delete button. Everyone needs to go to http://www.symantec.com/avcenter/  and read about this clever virus. My youngest came home from school and said that an announcement was made to turn off all computers and printers. After reading about the virus, I now know that it can affect your printer too.  M.O.M.

Correction virus/worm size is 50,688 not 50,666. Sorry. M.O.M.

From: Gordon  (Original Message)

Sent: 11/1/2002 4:30 PM

Sorry I haven't written lately but my niece sent me a virus on the 18th of Oct, the W32/BugBear@MM  and I didn't want anyone else to get it. My McAfee caught it right away and deleted it but it was in my 'restore system' and McAfee couldn't delete it because it was in use. Back to the original books that we receive when we first purchase and thank the heavens there was a solution. Disable restore system, run virus scan, re-enable restore system and walla GONE. I found out it was there as I run the scan every weekend. But for those that don't have a virus program use the scan provided by Future Tec http://www.future-tek.net/ It works as I used it before I bought my McAfee. We are smileing again.

Hello, IKK'ers - I recieved a message in my Hotmail Inbox that a attachment has the W32/Bugbear.on the 14th of Dec.  I'm not sure it it from our list, I am unable to find it on IKK,  but this is who it is from: [email protected]  in regards to RE: Book of Campbells in VA.
If any of you know if it is on our list and where it is, Please let Janie or I know so we can get rid of it on the list! and to also let Patricia know that it is in her attachment.
Thanks to Everyone!!
~DeAnn

From: tallula

Sent: 12/15/2002 12:05 PM

Those are bad viruses..............I had one and it is a doozie!!!!..........Thanks for letting us know.

Janie and others,

 

I don't often comment on virus alerts as others are probably more learned than I regarding them and the prevention of viruses.

 

However, with our busy group here, there are lots of private emails being sent among us.   I am wondering if those who are contacting others on the list would be very explicit about their correspondence, maybe mentioning IKK and a bit of identifying information as a subject.

 

I have opened and answered emails with some of the subject lines you mentioned.  I would hate to dump the email from someone who has sent me their files, and said, "Please Help."

 

Keeping that in mind, any correspondence outside our group can be handled in that manner.  Usually those emails containing viruses are larger in size than most, but with all these genealogy files being shared, it is impossible to tell until they are opened.

 

Also, rather than sending attachments...copy and paste the information that is being sent.

 

Thanks for the alert.

 

Melody