Bugbear worm roaming world's e-mail
NEW YORK (AP) — An e-mail-borne computer virus that lets hackers control infected machines remotely continues to spread and constitutes the most severe attack this year, experts say. The worm, known as W32.Bugbear, or I-Worm.Tanatos, infects computers that use Microsoft's Windows operating systems.
It was first spotted a week ago and has spread to dozens of countries.
Once a machine is infected, a hacker could steal and delete information from it.
Some subject lines for the e-mail are "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift."
The worm replicates itself through a Windows machine's e-mail address book and can attach itself to previously sent e-mail messages. It also can spread through network systems and can allow hackers to intercept passwords and gain access to computers over the Internet.
It attempts to terminate various antivirus and firewall programs, according to Symantec Corp., which has posted a downloadable repair on its Web site. Symantec has rated Bugbear a severe threat.
Bugbear is currently the worst computer security outbreak globally, Mikko Hypponen, manager of anti-virus research at F-Secure Corp. in Helsinki, Finland, said in an e-mail to The Associated Press. F-Secure also posted a fix on its Web site.
The worm is expected to last well into next year because many consumers will not realize their computer is infected, Hypponen said.
Microsoft issued a patch last year, Security Bulletin MS01-027. But many users to do not keep their machines current with patches.
Edited: bwren on 7th Mar, 2006 - 1:31am
New worm, Opasoft, targets Windows systems
By Paul Roberts
A new worm that targets machines running Microsoft Corp.'s Windows 95,
98, and ME operating systems is spreading, according to virus alerts
posted by several leading antivirus software makers. Named "Opasoft",
"W32/Opasoft" or "Opaserv," the new virus takes advantage of a common
Windows application program interface (API) and loose security practices
to spread over local and wide-area networks.
Unlike other worms that spread from computer to computer over the
Internet by way of infected e-mail messages, Opasoft takes advantage of
the Network Basic Input/Output System (NETBIOS), an API containing
functions used to send and receive data over Microsoft networks,
according to the announcements.
Once it hits a machine, Opasoft scans the infected computer's network
for other machines to attack. When a vulnerable machine is located, the
worm checks to see if the C: drive of that machine has been shared with
other network computers and can be accessed, according to the alerts.
If it can access the C: drive, Opasoft places a copy of itself on that
machine, then alters the win.ini file so that the worm is run the next
time the machine is restarted.
If the shared directory on the computer is password-protected, the
Opasoft worm will attempt to enter that folder by trying
Office and home computer networks that are using any of the affected
Windows operating systems, and that have enabled file sharing between
machines on the network are particularly vulnerable to infection by
Opasoft. This is especially true if passwords have not been established
to protect access to shared directories on the network, according to a
statement by security company Kaspersky Labs Ltd.
Although it is not known whether or not the Opasoft worm damages any
files on the machines it infects, the worm does open a back door from
the machine to a Web site, www.opasoft.com, from which updated versions
of the worm and other script files are downloaded.
The Opasoft Web page was not accessible as of Friday afternoon.
For computers infected with the worm, users are instructed to delete the
worm and make necessary modifications to the win.ini file.
All users are asked to install "strong" passwords for any shared folders
on their computer -- combinations of three or more letters, numbers, and
Bugbear Internet worm slowing down, antivirus expert says
SAN FRANCISCO (Reuters) — A worm dubbed "Bugbear" that opens back doors on computers and logs keystrokes is starting to slow down after zipping around the Internet at twice the rate of this year's worst worm, "Klez," a researcher said Monday.
Bugbear surfaced a week ago, spiked on Thursday and appeared to be slowing on Monday, said Craig Schmugar, virus research engineer at Network Associates' McAfee Anti-Virus Emergency Response Team.
"We are still at high risk, high alert," with Bugbear, he said, adding that its risk rating will probably be lowered to medium risk on Tuesday or Wednesday.
Bugbear takes advantage of a known vulnerability in Microsoft's Internet Explorer (IE) and can be automatically run simply by reading the e-mail and not opening the attachment, Schmugar said.
The worm can spread via other e-mail programs, but it won't be automatically run in the same way, he said.
In addition to e-mail, the worm spreads via network shares, where computers share files on a common network, anti-virus firms said.
It tries to delete anti-virus software and also leaves a back door on infected systems that could allow an attacker to steal data, delete files and do other nasty things, Schmugar said.
"The trojan can upload or download files, execute files and kill applications that are running," he added. Also, "it contains keylogging code that can capture keystrokes."
In addition, Bugbear tries to copy itself to other types of devices attached to shared corporate networks, like printers, according to Schmugar.
"If it's a printer then hundreds of pages of code get printed out," he said.
Klez is similar in that it spreads via e-mail and also uses an old flaw in IE to spread automatically. One variant of Klez overwrites files while another sends out documents from the victim's hard drive.
Edited: bwren on 7th Mar, 2006 - 1:31am