|
|
|
Reply
| | From: Janie· (Original Message) | Sent: 10/3/2002 1:54 AM |
I receive virus alerts on my system at work and will post them here as I get them. This one was received today from our national computer security officer: Subject: Virus Alert -- W32/Bugbear@MM] Importance: High
Advanced warning of a virus that is going around. Make note of the possible subject lines that it might use.
I am sending this alert since I have received reports of this virus being received in USDA. The summary below is from McAfee.
W32/Bugbear@MM Help Center
W32/Bugbear@MM is rated as MEDIUM RISK FOR HOME AND CORPORATE USERS. This mass-mailing worm attempts to send itself to email addresses found on an infected system.
Once the virus is run, it will attempt to disable various security products, including many forms of anti-virus and personal firewall protection. It will also attempt to install a backdoor trojan that can capture what the user types, including sensitive information such as passwords.
PAYLOAD - What can this virus do?
This virus spreads via email and via network shares. It makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (v 5.01 or 5.5 without SP2). Simply opening or previewing an infected message in a vulnerable email reader can result in infection.
Possible message subject lines include the following (however, other random subject lines are also possible):
Found 150 FREE Bonus! 25 merchants and rising Announcement bad news CALL FOR INFORMATION! click on this! Correction of errors Cows Daily Email Reminder empty account fantastic free shipping! Get 8 FREE issues - no risk! Get a FREE gift! Greets! Hello! history screen hotmail. I need help about script Interesting Introduction its easy Just a reminder Lost Market Update Report Membership Confirmation My eBay ads New bonus in your cash account New Contests new reading News Payment notices Please Help Report SCAM alert Sponsors needed Stats Today Only Tools For Your Online Business update various Warning! Your Gift Your News Alert
The message body and attachment name vary. It is common for the attachment name to contain a double-extension (ie. .doc.pif), but this may not display on all systems. I have received a few of these not knowing they were virus-infected. Since I was not interested in seeing any more junk in my e-mail, I deleted them without opening them. Please do the same if you should receive messages with any of the above-listed subject lines. |
|
First
Previous
2-12 of 12
Next
Last
|
|
Reply
| | From: Gordon | Sent: 10/3/2002 6:02 PM |
Janie, I recieved this from RootsWeb Review this morning. I'm adding it to your notice of the bugbear virus. The first thing I do when recieving one of these is go to truthorfiction.com (people this one is for real, so be carefull out there). ------------------- Be Careful Out There. The Bugbear is no teddy bear. It is an e-mail worm containing backdoor components that can allow an infected system to be remotely compromised; it also includes the ability to kill antivirus and firewall software, leaving infected systems wide open to further attacks and lulling you into a false sense of security thinking your system is virus-free. Genealogists have much more interesting things to do than deal with an Internet worm with a Trojan horse, but such is life online.
Bugbear, which hit Great Britain and Australia users first on Monday, September 30, according to news reports, is also known as Tanatos. It arrives via e-mail with no distinct characteristics except that the attached file is always 50,688 bytes long. The subject line and text are stolen from existing e-mail it finds on an infected machine. Many RootsWeb users are expressing concerns about this latest varmint because unless you pay extra-careful attention you might think an e-mail with the attached Bugbear worm is coming from a trusted genealogy friend, family member, or from your favorite Mailing List.
RootsWeb's Mailing Lists do not allow any attachments, but that doesn't mean you won't receive something that will fool you into thinking the message is from a RootsWeb Mailing List. This is one clever worm. There are confirmed reports of Bugbear even forging some prepends commonly used on many of our Mailing Lists. If you receive e-mail with an attachment that appears to be from say [SURNAME-L] and you are not subscribed to that Mailing List, that is a good indication that it is a message with the Bugbear worm attached. Even if you are subscribed to a certain list and there is an attachment, do not open it.
Many of us are still fighting off the Klez worm, which steals and forges our e-mail addresses and subject lines, and now along comes Bugbear and the Opaserv worms. The latter is a network worm that was discovered September 30 also.
Are you at risk? You certainly are if you are a Windows user, and especially if you use Microsoft Internet Explorer 5.01 or 5.5 browsers and have not applied the patch found in MS01-020. [Note: Copy and paste carefully; this is a 2-line URL:] http://www.microsoft.com/technet/security/bulletin/ MS01-020.asp?frame=true
According to CNET News.com, a flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an e-mail message execute (start) when the text of the message appears in Outlook or Outlook Express (popular e-mail applications). The software problem was patched by Microsoft almost 18 months ago, but it is obvious that many genealogists have not updated their computers. Don't know what version of Microsoft Internet Explorer you have? Launch the browser, click on the Help menu and select About Internet Explorer to find out.
To prevent infection, Windows users be sure your system is current: http://windowsupdate.microsoft.com/default.htm and everyone should update their antivirus software and refrain from opening any attachment unless the sender confirms that he or she sent it to you. The major antivirus (AV) software companies have updated their files to include protection from Bugbear -- but you need to be sure your AV is up-to-date. Moreover, don't rely exclusively on your AV to protect you from every virus or worm that comes along.
If you use Outlook or Outlook Express for your e-mail application, be sure to set your VIEW options to show attachments. In Outlook Express make sure that the Preview Pane option is off. In Outlook, under VIEW, turn off the Auto Review and the Preview Pane. Some e-mail clients treat Mailing List digests as separate attachments, but those will always have the Mailing List digest request address as the FROM address and they will have the digest volume and number in the subject line. However, be wary, if attachment is exactly 50,688 bytes, it probably is the Bugbear.
For additional tips and links, please see: Virus, Trojans, Worms: http://helpdesk.rootsweb.com/announce.html#virus E-mail headers: http://helpdesk.rootsweb.com/listadmins/headersfull.html
|
|
Reply
| | From: Melody | Sent: 10/4/2002 2:44 PM |
Janie, Not one to appreciate MOST virus alerts, I do appreciate this one. I had a scare yesterday and in my getting to the bottom of it learned about this new Bug-a-bear, started on Oct. 2. This gives me an opportunity to enlighten people about my own experience with the Klez worm which seems to act the same way the Bug-A-Bear does. I received an email from a business in Effingham, Illinois that their Norton anti-virus caught an infected message that came from my account. Well, the particular email account I supposedly sent the email from was one I use almost solely to visit geneaology communities. I knew I did not send the email myself, but doing so much genealogy work in Effingham, I also knew there was a connection. I have Norton Internet Security. I run a scan at start-up, keep a background scan going at all times, and do a complete system scan every evening (it's scheduled to come up automatically). Plus, I scan every time I feel nervous about something. I immediately scanned my system, with no results. I scanned it again. Again, I came out clean. I thought perhaps I got the virus and it disabled a portion of my protection that showed that I had it. I contacted Norton, but there is always a wait for an answer. While I waited for my answer, I tried to go to the Norton site to do a system check from there. I kept getting a message the scan could not be done because my Security was not configured correctly (which it was). My opinion at that time, was that the Dirty Dog made it impossible to check for that virus. Since I knew I didn't send the email, he must have somehow gotten my password and used my email account to send viruses to others. (wrong) I then read the terms used by this virus and searched for each and every one in my "find" program. Nothing came up. Finally in the afternoon, a reply came back from Norton. Someone who has my email address, probably taken from one of the communities I belong to, has the virus. This worm finds any email address it can on an infected computer. It doesn't necessarily need to be in the address book, or a contact of the person with the virus, just a visit to the site and a click on my address left in the history of the infected computer. It randomly sticks an address in the "to" line and another in the "from" line. Effingham Truck sales could have just as easily gotten a message from me that the email they sent me was infected. My address just happened to be in the "to" space. Norton assured me that if I am up-to-date with my virus definitions and downloads then I am protected. |
|
Reply
| | From: M 0 M | Sent: 10/9/2002 11:10 PM |
Janie, The Bugbear virus seems to mutate. I can come with any subject listing and the attachment with any name. I received one today that looked like it came from someone at Yahoo that I didn't know. The subject seems to be a response to the Roarx Roots-L line. Since I am not on that like it raised a red flag along with the fact that it had an attachment. I did read the email and knew the person to who it was addressed. This is a very clever virus. The attachment was call 100% doc.scr. and was 50,666 in length. The Bugbear can be an scr. attachment along with two other kinds and is exactly 50,666. That was enough for me to hit the delete button. Everyone needs to go to http://www.symantec.com/avcenter/ and read about this clever virus. My youngest came home from school and said that an announcement was made to turn off all computers and printers. After reading about the virus, I now know that it can affect your printer too. M.O.M. |
|
Reply
| | From: M 0 M | Sent: 10/10/2002 2:55 PM |
Correction virus/worm size is 50,688 not 50,666. Sorry. M.O.M. |
|
Reply
| | From: Janie· | Sent: 11/2/2002 4:13 AM |
From: Gordon (Original Message) | Sent: 11/1/2002 4:30 PM | Sorry I haven't written lately but my niece sent me a virus on the 18th of Oct, the W32/BugBear@MM and I didn't want anyone else to get it. My McAfee caught it right away and deleted it but it was in my 'restore system' and McAfee couldn't delete it because it was in use. Back to the original books that we receive when we first purchase and thank the heavens there was a solution. Disable restore system, run virus scan, re-enable restore system and walla GONE. I found out it was there as I run the scan every weekend. But for those that don't have a virus program use the scan provided by Future Tec http://www.future-tek.net/ It works as I used it before I bought my McAfee. We are smileing again. | |
|
Reply
| |
Hello, IKK'ers - I recieved a message in my Hotmail Inbox that a attachment has the W32/Bugbear.on the 14th of Dec. I'm not sure it it from our list, I am unable to find it on IKK, but this is who it is from: [email protected] in regards to RE: Book of Campbells in VA. If any of you know if it is on our list and where it is, Please let Janie or I know so we can get rid of it on the list! and to also let Patricia know that it is in her attachment. Thanks to Everyone!! ~DeAnn |
|
Reply
| 0 recommendations | Message 8 of 12 in Discussion |
|
This message has been deleted by the manager or assistant manager. |
|
Reply
| 0 recommendations | Message 9 of 12 in Discussion |
|
This message has been deleted by the manager or assistant manager. |
|
Reply
| | From: Janie· | Sent: 12/15/2002 10:29 PM |
From: tallula | Sent: 12/15/2002 12:05 PM | Those are bad viruses..............I had one and it is a doozie!!!!..........Thanks for letting us know.
| |
|
Reply
| | From: Melody | Sent: 12/16/2002 1:35 PM |
Janie and others, I don't often comment on virus alerts as others are probably more learned than I regarding them and the prevention of viruses. However, with our busy group here, there are lots of private emails being sent among us. I am wondering if those who are contacting others on the list would be very explicit about their correspondence, maybe mentioning IKK and a bit of identifying information as a subject. I have opened and answered emails with some of the subject lines you mentioned. I would hate to dump the email from someone who has sent me their files, and said, "Please Help." Keeping that in mind, any correspondence outside our group can be handled in that manner. Usually those emails containing viruses are larger in size than most, but with all these genealogy files being shared, it is impossible to tell until they are opened. Also, rather than sending attachments...copy and paste the information that is being sent. Thanks for the alert. Melody |
|
Reply
| | From: M 0 M | Sent: 12/16/2002 2:33 PM |
Good idea Melody. If I am sending an unexpected private email to request a lookup, I always try to put IKK in the subject area. Has anyone else noticed that spam is looking more and more like it comes from a genealogy list? I see subjects like Wilson help needed etc. Most of the RootsL lines have the county in the subject area so you can identify where it is from, I wonder if MSN could do something like that. For Bugbear, just keep watching the attachment size. I have deleted several attachments that were 50688. M.O.M.
|
|
First
Previous
2-12 of 12
Next
Last
|
|
|