BugBear-B may arrive at the victim’s computer in a variety of ways, the most common being as an email attachment or via a network connection. While there have been previous viruses that contained multiple payloads, BugBear-B contains several different damaging or dangerous payloads designed to devastate the victim, steal his passwords and usernames, disable protective antivirus and firewall software, open a “backdoor” on the computer allowing a miscreant unrestricted and undetected access to your computer, and propagate itself to others. One a machine is infected, antivirus and firewall software is neutralized, and email addresses, both “To:” and “From:” are captured from almost any source on the computer. BugBear-B then emails itself, using its own integral email utility, to the email addresses found on the computer. The emails use forged or “spoofed” addresses, concealing the real source of the virus bearing emails, making it difficult to detect the source of the email. It has also become difficult to remove BugBear-B infected files from an infected machine because it uses a “polymorphic” file infector, which changes itself as it infects and damages files on the victim’s computer.
Emails containing the virus may have any of many subjects indicating that the email may be an announcement, sale, news, reply, request for information, magazine subscription, announcement from Ebay, a reminder, a warning, or a subject copied from emails on the computer. The body of the message may also contain portions of real emails found on the computer. Since it is possible that through random selection of email addresses from the victim, and possibly matched with both a subject line and content from a known person, that the recipient of the message containing the virus might be tricked into opening it, and infecting his computer. As with many of the other recent viruses, such as Klez, Yaha, and earlier versions of BugBear, the new version of BugBear-B takes advantage of a known vulnerability of many Microsoft products, and can contaminate a computer without the email being opened if it appears in the preview pane of Outlook or Outlook Express.
The attachment to the email containing the payload may indicate that it is a card, document, image, song, photo, news item, resume, video, or other common attachment, again intended to trick the gullible victim to click on the attachment. The attachments will almost always have an extension that will show that it is a utility that can be run, such as “.exe”, “.pif”, and “.scr”. The attachment may also have an unusual double extension, possibly including “.doc” in addition to the extensions above.
One the computer is infected, a variety of utilities are run by BugBear-B. As has been mentioned, the worm destroys any antivirus software and firewalls installed on the computer, making it vulnerable to additional attacks from other viruses and Trojans. If disabled, the protective software may still appear to be loaded and running, and possibly even updating, but is likely to have been so crippled, that it is effectively useless. If the computer is connected to a network, BugBear-B will attempt to infect other computers attached to the network; early reports of BugBear-B contamination indicated that some large academic and corporate networks were effectively shut down. The virus installs a keylogger, a utility that can capture and transmit keystrokes, providing unknown individuals with usernames, passwords, credit card numbers, and other information that may be utilized to make illicit purchases or financial transactions, and possibly used for identity theft. The remote access Trojan installed can allow someone to remotely access the computer without the owner’s knowledge or consent. It is possible that personal or confidential information may be compromised, or that critical files on the computer may be altered or deleted. If the infected computer belongs to any of a very long and explicit list of financial institutions, BugBear-B may enable illicit remote access to the institution through the infected computer.
If the antivirus software had been updated to include protection for BugBear-B prior to the infection, the computer is likely safe, but if the software was updated after the infection, the antivirus is useless. A virus scan performed with crippled software may not indicate any infection. For this reason it may be necessary to perform one of the free online virus scans available from many of the antivirus publishers. Some of the most popular free online scans are available at housecall.antivirus.com, www.bitdefender.com, and www.pandasecurity.com. These free online scans may be able to detect and neutralize BugBear-B, but it may also be necessary to totally kill BugBear-B. Most of the major antivirus companies now have free utilities available for download that can eliminate BugBear-B from infected computers.
The risk of infection from viruses can be reduced by the daily updating of antivirus software, periodic online scans, and the installation of the free security patches available from Microsoft. To locate these patches, go online, and click on START – WINDOWS UPDATE, and let the computer find and install any of the critical security patches found.
For more information on the Tulsa Computer Society click here